pySigma-backend-loki icon indicating copy to clipboard operation
pySigma-backend-loki copied to clipboard

Published 20 hours ago verified publisher icon grafana

Support combined metric queries for correlation rules with LogQL

Open kelnage opened this issue 9 months ago • 0 comments

When correlating multiple queries, we can do so using Loki and LogQL by generating one metric query per log query, and combining them with OR (for event_count and value_count correlation rules) or AND (for temporal correlation rules). E.g., the following log queries:

{job=`.+`} | logfmt | fieldA=`valueA`
{job=`.+`} | json | fieldB=`valueB`

can be converted into an event_count correlation query with greater than or equal to 2 events with the following LogQL:

(sum(count_over_time({job=`jobA`} | logfmt | fieldA=`valueA`[$__auto])) 
    or sum(count_over_time({job=`jobB`} | json | fieldB=`valueB`[$__auto]))) >= 2

kelnage avatar Jan 20 '25 12:01 kelnage