Data configurationLogsDelete unwanted information in log lines

Delete unwanted information in log lines

In the event that sensitive, private, or unwanted information is added to your logs, you can use LogQL to create a query that identifies specific content to delete, and use the Loki API to delete those log lines. For example, you can create a query that matches all log lines that contain ten-digit numbers of the format XXX-XXX-XXXX over the last two days, to remove phone numbers that were accidentally published to your logs. When you’ve verified your query matches the lines you want to remove, you’ll pass that query to the Loki API’s delete endpoint. For more information on working with LogQL, see LogQL log queries in the Loki documentation.

In order to use the delete endpoint, you must supply a token for an access policy that grants logs deletion access. To create the needed access policy and token, you must use the Grafana Cloud Access Policies API or contact Support to install the Grafana Cloud Access Policy plugin in your Grafana stack.

NOTE: Log deletion is meant to scrub logs of unwanted content, not to reduce log usage and billing. Deleting logs after they’ve already been ingested does not affect usage volume. To learn how to control log usage, see Understanding logs usage with Grafana Explore.

Configure an access policy and create a token

You must configure an access policy with log delete privileges and a token for that access policy in order to access log deletion endpoints. Access policies replace the need for API keys to govern access at the stack or organizational level. For more information on access policies, see Grafana Cloud Access Policies.

Before you begin

You will need the following information to use the Grafana Cloud API:

  • Stack URL
  • Stack user ID

This information is available in your Grafana Loki Data Source settings. To find these settings:

  1. Go to the Cloud Portal, and click Details on the tile for the stack you want to work in.
  2. Click Details on the Loki tile.
  3. Make a note of your URL and your user ID number. These will replace the and placeholders in the API calls.

Configure an access policy and token

The following steps are for use with the Grafana Cloud Access Policy plugin. To create an access policy and token using the Grafana Cloud API, see Create an access policy and Create a token in the Grafana Cloud API reference. Only users with the Admin role can configure access policies and tokens.

  1. In your Grafana Cloud stack, click Configuration (gear icon).
  2. Click the Cloud access policies tab.
  3. Click Create access policy.
  4. Enter a name for the access policy.
  5. In the Resources column, for logs, select Delete.
  6. Select Create access policy to add the access policy.
  7. Select Add token to create a token for that access policy. This will replace the placeholder in the API calls shown below.

Use the Loki DELETE API call

Use the following endpoints to manage log line deletion. For more information on Loki DELETE API reference, see the Compactor section in the Loki HTTP API reference.

CAUTION: When a delete request is executed, the change is permanent. You can not restore deleted log lines.

Log line deletion requests

Use the following endpoint to delete log lines:

POST /loki/api/v1/delete

For example, the following call uses a Loki query with a regexp to delete all log lines with timestamps between start-time-unixtimestamp and end-time-unixtimestamp that contain strings formatted like credit card numbers.

curl -v -G -X POST 'https://<STACK-URL>/loki/api/v1/delete' \
	--data-urlencode 'query={system="creditcardpayments"} | regexp "msg=txn complete; purchase on card (?P<card-number>[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}) accepted"' \
	--data-urlencode 'start=<start-time-unixtimestamp>' \
	--data-urlencode 'end=<end-time-unixtimestamp>' \
	-u "<STACK-USER-ID>:<API-TOKEN>"

Log deletion request list

To get a list of requested deletions:

GET /loki/api/v1/delete

For example:

curl 'https://<STACK-URL>/loki/api/v1/delete' -u "<STACK-USER-ID>:<API-TOKEN>" 

Request cancellation

To request cancellation of a deletion request before it is processed:

DELETE /loki/api/v1/delete

For example:

curl -X DELETE 'https://<STACK-URL>/loki/api/v1/delete?request_id=<request_id>' -u `<STACK-USER-ID>:<API-TOKEN>`