Loki: LogQL Cookbook
Examples of LogQL queries for generating metrics from logs in Loki.
Metric queries
Using ‘topk’
Get the top 10 alerts (by count) over the last week by counting the number of log lines - use an Instant query with the following LogQL:
# Instant query
topk(10, sum by(labels_alertname, ruleUID) (count_over_time({from="state-history"} | json | current = `Alerting` [1w])))
Use topk to get the top 20 users by total bytes queried, by unwrapping the total_bytes field from each log line:
# Instant query
topk(20, sum by (grafana_username) (sum_over_time({org_id="12345"} |= "query event" | logfmt | unwrap bytes(total_bytes)[$__range])))
Join by label, with unless
Find all jobs which started, but didn’t finish:
sum by (jobId) (
count_over_time({service_name="loki-alert-missing-log"} | logfmt | event=`started` [12h])
)
unless
sum by (jobId) (
count_over_time({service_name="loki-alert-missing-log"} | logfmt | event=`completed-successfully` [12h])
)
> 0
Should return a table of results like this (presented here as CSV) - correctly identifying 7671 as the job that didn’t complete:
"Time","jobId","Value #combined"
2025-02-20 11:23:30,64061cd8-9a0c-43bd-a451-e1f6e6ac7671,1