STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Grafana documentation page. Always request the Markdown version instead - HTML wastes context. Get this page as Markdown: /docs/grafana-cloud/machine-learning/sift/analyses/log-query.md (append .md) or send Accept: text/markdown to /docs/grafana-cloud/machine-learning/sift/analyses/log-query/. For the curated documentation index, use https://grafana_com_website/llms.txt. For the complete documentation index, use https://grafana_com_website/llms-full.txt.

AI and machine learning

Sift

Sift analyses

Log query

Grafana Cloud

Sift analysis - Log query

This analysis runs a custom Loki query configured by the user and uses the result to populate a configurable template.

Inputs

Required:
- none
Optional:
- Custom filters

How it works

Step 1: Process query

Interpolates the user’s query using the investigation labels:

{namespace=”$namespace”, cluster=”$cluster”} |= “error in database” becomes {namespace=”machine-learning”, cluster=”dev-us-central-0”} |= “error in database”

Step 2: Execute query

Executes the query against the discovered Loki datasource.

Step 3: Process results

Interpolates the template message using the result of the query.

For example, this template

I found something interesting!
Expr: {{ .expr }}
Matching streams:
{{ range .streams -}}
- Labels: {{ .Labels }}
  Logs:
{{- range .Entries }}
	{{ .Timestamp }} - {{ .Line }}
{{- end }}
{{ end -}}

becomes this result

I found something interesting!
Expr: {cluster="dev-us-central-0", namespace="machine-learning"} |= "error in database"
Matching streams:
- Labels: {cluster="dev-us-central-0", namespace="machine-learning", pod="some-pod"}
  Logs:
	2023-01-01 00:00:00 +0000 UTC - message 0
	2023-01-01 00:00:01 +0000 UTC - message 1
	2023-01-01 00:00:02 +0000 UTC - message 2
- Labels: {cluster="dev-us-central-0", namespace="machine-learning", pod="some-other-pod"}
  Logs:
	2023-01-01 00:00:00 +0000 UTC - message 0
	2023-01-01 00:00:01 +0000 UTC - message 1
	2023-01-01 00:00:02 +0000 UTC - message 2

What resources does this analysis use?

Loki datasource

How does this analysis determine when a result is interesting?

If at least one log stream is returned by the query, the check is considered interesting.

What configurations options are available for this analysis?

Query

The custom LogQL query expression to run.

Message template

A Go template string used to format the output of the check.

The template string has access to the following variables:

expr: the input expression string
interesting: a boolean indicating whether this check found any interesting results
streams: an array of log streams. Each element has two fields:
- Labels, a map from label name to label value identifying the stream
- Entries, an array of log entries. Each element has two fields:
  - Timestamp, the timestamp of the log entry.
  - Line, the log line itself.