Query examples
Some useful query examples here.
Log Query examples
Examples that filter on IP address
-
Return log lines that are not within a range of IPv4 addresses:
{job_name="myapp"} != ip("192.168.4.5-192.168.4.20")
-
This example matches log lines with all IPv4 subnet values
192.168.4.5/16
except IP address192.168.4.2
:{job_name="myapp"} | logfmt | addr = ip("192.168.4.5/16") | addr != ip("192.168.4.2")
Examples that aid in security evaluation
-
Extract the user and IP address of failed logins from Linux
/var/log/secure
{job="security"} |~ "Invalid user.*" | regexp "(^(?P<user>\\S+ {1,2}){8})" | regexp "(^(?P<ip>\\S+ {1,2}){10})" | line_format "IP = {{.ip}}\tUSER = {{.user}}"
-
Get successful logins from Linux
/var/log/secure
{job="security"} != "grafana_com" |= "session opened" != "sudo: " |regexp "(^(?P<user>\\S+ {1,2}){11})" | line_format "USER = {{.user}}"
Metrics Query examples
-
Return the per-second rate of all non-timeout errors within the last minutes per host for the MySQL job, and only include errors whose duration is above ten seconds.
sum by (host) (rate({job="mysql"} |= "error" != "timeout" | json | duration > 10s [1m]))
Related Loki resources
Getting started with logging and Grafana Loki (APAC timezone)
Join this webinar to learn why correlating metrics and logs is critical across the development lifecycle, and how Loki helps reduce logging costs and operations overhead.
Logging with Loki: Essential configuration settings
This webinar focuses on Grafana Loki configuration including agents Promtail and Docker; the Loki server; and Loki storage for popular backends.
Observability with logs & Grafana
Discover how you can utilize, manage, and visualize log events with Grafana and Grafana’s logging application Loki.