LogQL Cheatsheet

Top patterns.

Overview

LogQL is Grafana Loki’s query language. Five primitive surfaces cover almost every investigation: label selector to narrow scope by indexed labels, line filter for content matches, parser stages for structured-field extraction, metric queries that turn log streams into time series, and aggregations for cross-stream analysis.

• Label selector. {app="api", env="prod"}. Narrows scope efficiently using indexed labels.
• Line filter. |= "error", != "healthcheck", |~ "regex". Filters log content after the label selector narrows scope.
• Parser stages. | json, | logfmt extract structured fields. Field-level filtering becomes possible.
• Metric queries plus aggregations. rate(), count_over_time() turn logs into metrics; sum by(), topk() support cross-stream analysis.

The approach

Five idioms cover most LogQL use. Memorising them moves the team from full-text scrolling to surgical log investigation.

• {app="api"} |= "error". All errors from api. The starting query for most investigations.
• {app="api"} | json | level="error". Parse JSON, filter by field. Structured queries replace string matching.
• rate({app="api"} |= "error" [5m]). Error rate per second. Metric series from logs.
• count_over_time plus topk. Volume metrics over windows; topk(10, sum by(host)(rate(...))) for fast attribution to the noisy hosts.

Why this compounds

Each LogQL query teaches the data model. The team’s investigation speed deepens; label-design improves alongside query patterns; Loki cost stays controlled because queries narrow on indexed labels first.

• Faster investigation. Fluent LogQL produces fast root cause. MTTR drops on log-heavy incidents.
• Label hygiene improves. Query patterns inform label design. Queryable data emerges.
• Cost discipline. Label-narrowed queries reduce Loki query cost. Operations stay in budget.
• Year-one investment, year-two habit. First year builds fluency. By year two, LogQL is the default for log work.