Skip to main content
Loki is Grafana’s log store. Investigations query it to read what your services logged around the time of an incident — the errors, the warnings, the request that failed.
You can connect Loki directly, or have it discovered automatically when you connect Grafana. Either route gives investigations the same access — pick whichever fits how you run Loki.

What we support

Investigations query Loki with LogQL, its query language, in two ways:
  • Log queries — pull back the actual log lines: what a service was logging at the time, whether errors appeared on an endpoint, or whether a message started showing up right after a deploy.
  • Metric queries over logs — LogQL can turn logs into time-series, and investigations use this to graph trends straight from your logs: an error rate climbing, request volume dropping away, the frequency of a particular message across the incident window. You get a chart of what your logs were doing even where you never set up a dedicated metric for it.

Filtering beyond your label index

Loki only indexes the stream labels you choose, but plenty of useful detail lives outside that index — in structured metadata attached to each entry, and in fields parsed out of the log body (for example with | json). Investigations use all three, so they can filter on attributes you never indexed — a request ID, a status code, a customer — not just your labels.

Fast queries on high-volume logs

The cost of a Loki query comes down to its stream selector: too broad and it’s slow or rejected, too narrow and it misses data. Investigations scope the selector to the streams that matter, using what they’ve learned about your labels and their cardinality, so queries stay fast even on noisy, high-volume logs. If one does time out, they narrow it and try again rather than giving up. Investigations learn this structure — your labels, structured metadata, parsed fields, and which labels are high-cardinality — automatically. How that works is covered in How telemetry works.

Connecting Loki

There are two ways to connect Loki. Both give investigations the same access — choose whichever matches how you run it.

Directly

Connect Loki on its own, with its endpoint and credentials:
  • The URL of your Loki instance.
  • Any authentication it requires — for example basic auth or a bearer token, plus a tenant ID if your Loki is multi-tenant.

Through Grafana

If your Loki already sits behind Grafana, connect Grafana and Loki is discovered automatically as one of the data sources behind it, using Grafana’s own credentials — nothing separate to configure. Either way, Loki is disabled by default. Log queries can be broad, so you opt in deliberately — enable the Loki data sources your team uses once they’re connected.

Best practice

  • Connect the Grafana dashboards that query Loki. Investigations learn your real log query patterns from them, which makes Loki queries more accurate.
  • Enable the Loki data sources your responders actually reach for during incidents, rather than every source available.

Grafana

The provider Loki is connected through.

How telemetry works

How investigations query your logs.