Query examples
Some useful query examples here.
Log Query examples
Examples that filter on IP address
-
Return log lines that are not within a range of IPv4 addresses:
{job_name="myapp"} != ip("192.168.4.5-192.168.4.20")
-
This example matches log lines with all IPv4 subnet values
192.168.4.5/16
except IP address192.168.4.2
:{job_name="myapp"} | logfmt | addr = ip("192.168.4.5/16") | addr != ip("192.168.4.2")
Examples that aid in security evaluation
-
Extract the user and IP address of failed logins from Linux
/var/log/secure
{job="security"} |~ "Invalid user.*" | regexp "(^(?P<user>\\S+ {1,2}){8})" | regexp "(^(?P<ip>\\S+ {1,2}){10})" | line_format "IP = {{.ip}}\tUSER = {{.user}}"
-
Get successful logins from Linux
/var/log/secure
{job="security"} != "grafana_com" |= "session opened" != "sudo: " |regexp "(^(?P<user>\\S+ {1,2}){11})" | line_format "USER = {{.user}}"
Metrics Query examples
-
Return the per-second rate of all non-timeout errors within the last minutes per host for the MySQL job, and only include errors whose duration is above ten seconds.
sum by (host) (rate({job="mysql"} |= "error" != "timeout" | json | duration > 10s [1m]))
Related Enterprise Logs resources
Grafana Enterprise Logs: Logging with security and scale
Join us for this webinar, which will cover: Challenges with logging as organizations scale and the volume of logs explodes, how Grafana Enterprise Logs enables organizations to make logs available to any team members who need them, features available in GEL and how to get access, a live product demo so you can see GEL for the first time
VIDEO: Watch this first-look demo of the new Grafana Enterprise Logs
Based on Loki, Grafana Enterprise Logs is part of the Grafana Enterprise Stack for composing and scaling observability on your own infrastructure.
Introducing Grafana Enterprise Logs, a core part of the Grafana Enterprise Stack integrated observability solution
Powered by the Loki open source project, the Enterprise Logs offering joins metrics and dashboards in our enterprise-ready stack for self-managed observability.