What is Grafana Loki?

Grigor Khachatryan
5 min readMar 15, 2023

A Comprehensive Guide to the Log Aggregation System.

https://github.com/grafana/loki/blob/main/docs/sources/logo_and_name.png

Introduction

In the world of observability and monitoring, logs play a crucial role in helping developers and system administrators understand what is happening within their applications and infrastructure. Grafana Loki is a log aggregation system designed to make it easy and cost-effective to store and query logs. In this article, we will discuss what Grafana Loki is, how it compares to other log aggregation systems, and how it works.

What is Grafana Loki?

Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus, a popular monitoring and alerting toolkit. Like Prometheus, Loki is designed to be simple to operate and cost-effective. Unlike many other log aggregation systems, Loki does not index the contents of logs but instead indexes a set of labels for each log stream.

Key Features of Loki

Compared to other log aggregation systems, Loki offers several advantages:

  1. No full-text indexing on logs: Loki stores compressed, unstructured logs and only indexes metadata. This makes Loki simpler to operate and cheaper to run compared to systems that index the entire contents of logs.
  2. Label-based indexing and grouping: Loki indexes and groups log streams using the same labels as Prometheus. This enables seamless switching between metrics and logs using the same labels you’re already using with Prometheus.
  3. Ideal for Kubernetes Pod logs: Loki is particularly well-suited for storing Kubernetes Pod logs, as it automatically scrapes and indexes metadata such as Pod labels.
  4. Native support in Grafana: Loki has native support in Grafana, starting from version 6.0.

Loki-based Logging Stack Components

A Loki-based logging stack consists of three main components:

  1. Promtail: The agent responsible for gathering logs and sending them to Loki.
  2. Loki: The main server that stores logs and processes queries.
  3. Grafana: The platform for querying and displaying logs.

Loki is like Prometheus but for logs, using a multidimensional label-based approach to indexing and offering a single-binary, easy-to-operate system with no dependencies. The main difference between Loki and Prometheus lies in their focus, with Loki concentrating on logs and Prometheus on metrics. Moreover, Loki delivers logs via push, while Prometheus employs a pull mechanism.

How Does Grafana Loki Work?

To understand Grafana Loki’s functionality, let’s examine the different components and their roles in the process.

1. Pull in logs with Promtail

Promtail is a log collector specifically designed for Loki. It employs the same service discovery mechanism as Prometheus and shares similar features for labeling, transforming, and filtering logs before ingestion into Loki.

Promtail can be deployed as a sidecar or a DaemonSet within a Kubernetes cluster, or it can be run as a standalone agent to collect logs from other sources. The agent extracts metadata from the logs, such as timestamps and labels, and sends them to Loki in a structured format.

2. Store logs in Loki

Loki does not index the text of logs, which sets it apart from other log aggregation systems. Instead, log entries are grouped into streams and indexed with labels. This approach reduces costs and increases efficiency, as log lines are available to query within milliseconds of being received by Loki.

Loki’s storage architecture is based on the same concept as Prometheus’ time series database (TSDB), with logs organized into chunks and stored in an object store, such as Amazon S3 or Google Cloud Storage. This design enables horizontal scalability and high availability.

3. Use LogQL to explore logs

Loki introduces its own powerful query language called LogQL, which allows you to explore your logs efficiently. LogQL is similar to Prometheus’ PromQL, and you can run LogQL queries directly within Grafana to visualize your logs alongsideother data sources, creating a unified observability experience. For those who prefer a command-line interface, Loki also offers LogCLI, allowing you to run LogQL queries from your terminal.

LogQL supports filtering, pattern matching, and aggregation, making it easy to search through large volumes of logs and extract valuable insights. For example, you can count the occurrences of specific log messages, calculate the average response time from logs, or group logs based on certain labels.

4. Alert on your logs

With Loki, you can set up alerting rules to evaluate incoming log data continuously. When a rule is triggered, Loki sends the resulting alerts to a Prometheus Alertmanager, which is responsible for deduplicating, grouping, and routing the alerts to the appropriate team members. By integrating Loki with Alertmanager, you can leverage existing alerting infrastructure and ensure that the right people receive timely notifications about important events in your logs.

Conclusion

Grafana Loki is a powerful log aggregation system that offers simplicity, cost-effectiveness, and seamless integration with Prometheus and Grafana. By focusing on label-based indexing and avoiding full-text indexing, Loki delivers an easy-to-operate and scalable solution for storing and querying logs. Whether you’re working with Kubernetes Pod logs or logs from other sources, Loki provides a robust toolset for exploring, visualizing, and alerting on log data.

In summary, Grafana Loki is an excellent choice for organizations looking for a log aggregation system that is easy to set up and operate, highly scalable, and cost-effective. Its native support in Grafana, compatibility with Kubernetes, and powerful LogQL query language make it a valuable addition to any observability and monitoring stack. So, if you haven’t tried Loki yet, it’s definitely worth considering for your next log management solution.

--

--