Connection
logcli --addr=LOKI_URL query '{job="job_name"}'
Connect to Loki server and run a basic query
logcli --addr=http://localhost:3100 query '{job="job_name"}'
Connect to local Loki instance
Basic Querying
logcli query '{job="job_name"}'
Query logs by job name
logcli query '{container="container_name"}'
Query logs by container name
logcli query '{namespace="kube-system"}'
Query logs by Kubernetes namespace
logcli query '{job="job_name"} |= "error"'
Query logs containing the word 'error'
Advanced Querying
logcli query '{job="job_name"} |= "error" != "timeout"'
Logs with 'error' but not 'timeout'
logcli query '{job="job_name"} |~ "error.*timeout"'
Regex matching for patterns
logcli query '{job="job_name"} |= "error" | json'
Parse logs as JSON
logcli query '{job="job_name"} | json | field_name="value"'
Filter on parsed JSON fields
logcli query --since=1h '{job="job_name"}'
Logs from the last hour
logcli query --from=2023-01-01T10:00:00Z --to=2023-01-01T11:00:00Z '{job="job_name"}'
Time range query
Log Processing
logcli query '{job="job_name"} | logfmt'
Parse logs in logfmt format
logcli query '{job="job_name"} | json | line_format "{{.field_name}}"'
Format output to show specific fields
logcli query '{job="job_name"} | pattern ""'
Extract fields using pattern matching
Aggregation and Analytics
logcli query 'rate({job="job_name"}[5m])'
Calculate rate of logs over 5 minute window
logcli query 'sum(count_over_time({job="job_name"}[5m])) by (level)'
Count logs grouped by level
logcli query 'count_over_time({job="job_name"} |= "error"[5m])'
Count error occurrences over time
Output Controls
logcli query --limit=100 '{job="job_name"}'
Limit the number of results
logcli query --tail '{job="job_name"}'
Stream logs in real-time (tail)
logcli query --output=raw '{job="job_name"}'
Output raw log lines without timestamps
logcli query --output=jsonl '{job="job_name"}'
Output logs as JSON lines