loki icon indicating copy to clipboard operation
loki copied to clipboard

Published 20 hours ago verified publisher icon grafana

LogQL: Include x nr of lines before/after a match

Open hterik opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. Often when querying legacy logs that have not embraced structural logging, the data you want to find is not always nicely contained in a single log entry.

Examples may look like:

11:54:45 [info] Gazillion other log entries in the stream
11:55:00 [info] Starting vortex-concentration for
11:55:00 [info] foo
11:55:00 [info] bar
11:55:01 [info] Vortex-concentration done
11:55:01 [info] Gazillion other log entries in the stream

I want a query that can easily show me the last time vortex-concentration was done for foo. It doesn't necesessarily have to return the match in a single aggregated line, just returning the match plus some lines before/after would be extremely helpful. (Something that did aggregate it into a single entry would be nice though, but let's start simple now)

Describe the solution you'd like Using grep, one can use the --after-context (-A) /--before-context (-B) flags to achieve this. Some similar operator for LogQL would be fantastic.

I'm not too opinionated about any exact syntax or name of the operator, just suggesting something like

{log="mylog"} 
|= "Starting vortex-concentration" [keep_lines_after=5, keep_lines_before=0]

Another alternative: Keep returning lines until a second match condition is met, with some fallbacks in case it's never met.

{log="mylog"} 
|= "Starting vortex-concentration" [keep_until_match="Vortex-concentration done", keep_until_limit=100, keep_until_time=2s]

Describe alternatives you've considered One possible workaround today is to use Grafanas "Show context" option, but it requires a lot of clicking.

Additional context NA

hterik avatar Apr 06 '24 20:04 hterik

It is really a much needed feature.

alexk-pyr avatar Aug 27 '24 12:08 alexk-pyr

Quite surprised this feature isn't demanded more

ChefYeum avatar Aug 27 '24 12:08 ChefYeum

Any news? 🤔

R-Studio avatar Apr 02 '25 09:04 R-Studio

Definitely a very important and missing feature.

smil2k avatar Apr 23 '25 16:04 smil2k

We need to be able to grep -C, -A and -B!

mathieumd avatar May 27 '25 08:05 mathieumd

Related: https://github.com/grafana/loki/issues/8539

meanderix avatar Nov 06 '25 08:11 meanderix

Here's my work-around for now on:

# base query (should be compatible with Openshift loki operator)
QUERY="{kubernetes_container_name=~\"prod-deploy-.*\"}|json|line_format {{.message}}"
# filter messages for a value
FILTER="ERROR"
# number of surrounding entries (before/after)
CONTEXT=3

# invoke logcli with the initial timestamps
logcli query -q -o raw "$QUERY|~$FILTER|line_format \"{{._timestamp}} {{.message}}\"" "$@" |
  while read timestamp message; do
    echo "[ $timestamp ]"
    logcli query -q -o raw "$QUERY" --to="$timestamp" --limit=$CONTEXT
    echo "$message"
    logcli query -q -o raw  "$QUERY" --from="$timestamp" --forward --limit=$CONTEXT
    echo ""
  done

IMO this is very essential functionality; especially when log data is gathered from multiple concurrent services/containers.

meanderix avatar Nov 06 '25 10:11 meanderix