Feedback

Chat Icon

Cloud-Native Microservices With Kubernetes - 2nd Edition

A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in Kubernetes

Microservices Observability in a Kubernetes World: Logs
78%

Using Loki to Query Logs

Loki, like Prometheus, has a query language called LogQL. Just like PromQL, LogQL allows you to filter and aggregate logs based on labels and other criteria.

Here are some examples of LogQL queries:

This query filters logs from all Pods that have the label apps equal to my-api.

{app="my-api"}

This query filters logs from the file /var/log/apache/access.log and selects only those that contain the string GET /.

{filename="/var/log/apache/access.log"} |= "GET /"

This query filters logs from the file "/app/error.logs" and selects only those that contain the string GET /. Then, it applies a pattern to parse the log lines using placeholders such as , , , , , , and <_>.

Finally, it further filters the logs based on the value of the status field, selecting only logs where the status is greater than or equal to 400.

{filename="/app/error.logs"} |= "GET /"
| pattern " - - <_> \"  <_>\" \
    <_> \"\" <_>"
| status >= 400

This query calculates the ratio between the rate of logs with the label level equal to warn and the rate of logs with the label level equal to error.

sum(rate({app="my-app", level="warn"}[1m])) /
sum(rate({app="my-app", level="error"}[1m]))

The other operators you can use besides the equals (=) operator are:

  • !=: not equal
  • =~: regex matches
  • !~: regex does not match

Comparison operators:

  • ==: equals
  • !=: does not equal
  • >: greater than
  • >=: greater than or equal to
  • <: less than
  • <=: less than or equal to

Logical operators:

  • and
  • or
  • unless

Arithmetic operators:

  • +: addition
  • ``: subtraction
  • ``: multiplication
  • /: division
  • %: modulo
  • ^: power

Examples of using other operators:

This query filters logs from all Pods with the app label not equal to my-api.

{app!="my-api"}

This query returns the value, multiplied by 100, of the sum of the number of logs with the label app equal to my-app over the last minute.

sum(count_over_time({app="my-app"}[1m])) * 100

You can also use regex in the label values:

  • {filename=~"/var/log/auth.log|/var/log/syslog"}: This query filters logs from the files /var/log/auth.log and /var/log/syslog.
  • {app=~"my-api|my-app"}: This query filters logs from all Pods that have the label app equal to either my-api or my-app.

For better control over filtering, you can use the various filters available in LogQL:

  • |: This filter selects only the logs that match the given label filter.
  • !=: This filter selects only the logs that do not match the given label filter.
  • |~: This filter selects only the logs that match the given label filter using regex.
  • !~: This filter selects only the logs that do not match the given label filter using regex.

Examples of filtering:

This query filters logs from all Pods that have the app label equal to my-api and selects only those that contain the string error

Cloud-Native Microservices With Kubernetes - 2nd Edition

A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in Kubernetes

Enroll now to unlock all content and receive all future updates for free.

Unlock now ($31.99) Learn More
Previous Next