loki icon indicating copy to clipboard operation
loki copied to clipboard

Published 20 hours ago verified publisher icon grafana

Support joins on LogQL

Open vjsamuel opened this issue 3 years ago • 9 comments

What would you like to be added: Currently LogQL has robust features in being able to do counting and various aggregations on metric fields in the log lines. On PromQL, currently we have the ability to use state metrics to do joins so that metrics can be enriched at query time with additional labels that describe the source. It would be beneficial if we could do the same with LogQL.

Why is this needed: There can be external labels that define the log line more than just the labels that are coming with the log line. being able to joins allows a more robust querying experience.

https://www.section.io/blog/prometheus-querying/ provides a good read on how it is being used on PromQL today.

vjsamuel avatar Mar 31 '21 23:03 vjsamuel

Incorrectly raised in Grafana in the past: https://github.com/grafana/grafana/issues/29214

vjsamuel avatar Mar 31 '21 23:03 vjsamuel

This issue has been automatically marked as stale because it has not had any activity in the past 30 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 02 '21 17:06 stale[bot]

I'm interested in this feature as well.

job runner

The job runner receives a job that contains a correlationId (string with random letters)

It publishes debug information to Loki.

Ex:

image

Jobmaster

The job master is the only one that knows if the job succeeded.

It publishes the job result (failure/success) along with the correlation Id:

image

What I want

I want to be able to know which IPs are failing the task

Workaround

The current workaround is to query the debug information inside the task master when the job finishes.

clouedoc avatar Jan 26 '22 17:01 clouedoc

Joins definitely have value. However, we debated in the past if Loki is the tool to do these as we want to keep Loki scalable.

As I am keen to make it easier to export and import Logs. What would you think about joining or enriching logs externally through something like Spark, Kafka or server side expressions in Grafana?

jeschkies avatar Jan 27 '22 10:01 jeschkies

Hi, I don't need joins anymore since I solved my issue using Postgres instead. That being said, I'll keep your answer in mind and try server-side expressions when needing a JOIN.

clouedoc avatar Jan 30 '22 17:01 clouedoc

@clouedoc does it mean you've exported the logs to Postgres?

jeschkies avatar Feb 01 '22 09:02 jeschkies

does it mean you've exported the logs to Postgres?

@jeschkies No, I used a Node PostgreSQL client to manually send the data to my PostgreSQL database.

That being said, it would've been helpful to export Loki logs to PostgreSQL. I don't know what the idiomatic way to do this is.

clouedoc avatar Feb 01 '22 18:02 clouedoc

That being said, it would've been helpful to export Loki logs to PostgreSQL. I don't know what the idiomatic way to do this is.

There is none. However, I'm collecting use cases to build up a case.

jeschkies avatar Feb 02 '22 10:02 jeschkies

+1 on having the ability to do a join on a query. Here's an example of where I'd use it. We have log events that can contain two IDs, callId and traceId. I want to create a dashboard where the only input is a callId or even better, multiple call IDs, and have that return all logs that 1. contain that callId and 2. contain the traceId from all the logs in item 1.

Simple log example:

{
  environment: prod
  textPayload: callId = 36c550e2-31cb-43b6-98a7-accb72ac3105
  traceId: e94e6f6ab012cee08aca903b496d6355
}

{
  environment: prod
  textPayload: 	Current user is abc123
  traceId: e94e6f6ab012cee08aca903b496d6355
}
{
  environment: prod
  textPayload: 	Some other interesting message that does not contain a callId
  traceId: e94e6f6ab012cee08aca903b496d6355
}

Today, I would have to do this manually. I might first create a query like

{environment="prod"}
|= "36c550e2-31cb-43b6-98a7-accb72ac3105"
| json
| line_format "{{.textPayload}}"

Then gather all of the traceIds that show up, and then switch the query to search for those:

{environment="prod"}
|= "e94e6f6ab012cee08aca903b496d6355"
| json
| line_format "{{.textPayload}}"

If a join operator was available in LogQL, I think this could be done with a single query.

maxdialpad avatar Aug 04 '22 23:08 maxdialpad

Vote for the request.

soh-tetsu avatar Mar 13 '23 01:03 soh-tetsu

Looking to get all logs based on a search and then get all the logs from that results traceIds

Phara0h avatar Jul 28 '23 15:07 Phara0h

Vote for Loki Joins..... without joins - what is the point of the data repo.

nadeda01 avatar Aug 07 '23 13:08 nadeda01

Still wishing for this - at this point I need to extract the logs and then submit another query based on output - I feel like I am back in the days of punch cards. I know there are better tools for this - but this tool is being pushed on us from the top.

nadeda01 avatar Sep 01 '23 15:09 nadeda01