Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Documentation Grafana Loki LogQL Query examples

Query examples

Some useful query examples here.

Log Query examples

Examples that filter on IP address

• Return log lines that are not within a range of IPv4 addresses:

  logql Copy

  {job_name="myapp"} != ip("192.168.4.5-192.168.4.20")

• This example matches log lines with all IPv4 subnet values 192.168.4.5/16 except IP address 192.168.4.2:

  logql Copy

  {job_name="myapp"}
  	| logfmt
  	| addr = ip("192.168.4.5/16")
  	| addr != ip("192.168.4.2")

Examples that aid in security evaluation

• Extract the user and IP address of failed logins from Linux /var/log/secure

  logql Copy

  {job="security"} 
      |~ "Invalid user.*"
      | regexp "(^(?P<user>\\S+ {1,2}){8})"
      | regexp "(^(?P<ip>\\S+ {1,2}){10})"
      | line_format "IP = {{.ip}}\tUSER = {{.user}}"

• Get successful logins from Linux /var/log/secure

  logql Copy

  {job="security"}
      != "grafana_com"
      |= "session opened"
      != "sudo: "
      |regexp "(^(?P<user>\\S+ {1,2}){11})"
      | line_format "USER = {{.user}}"

Metrics Query examples

• Return the per-second rate of all non-timeout errors within the last minutes per host for the MySQL job, and only include errors whose duration is above ten seconds.

  Copy

  sum by (host) (rate({job="mysql"}
      |= "error" != "timeout"
      | json
      | duration > 10s [1m]))