The Grafana Logs panel can dynamically parse and display fields from your log lines, letting you filter and visualize specific data points without needing to pre-process your logs.
Let’s see it in action. Imagine you have logs like this, coming from a service using JSON formatting:
{"level": "info", "message": "User logged in", "user_id": "abc123", "timestamp": "2023-10-27T10:00:00Z"}
{"level": "warn", "message": "Failed login attempt", "user_id": "def456", "timestamp": "2023-10-27T10:01:00Z", "ip_address": "192.168.1.100"}
{"level": "error", "message": "Database connection lost", "error_code": 503, "timestamp": "2023-10-27T10:02:00Z"}
In Grafana, you’d configure your data source (like Loki, Elasticsearch, or Prometheus’s logcli) to query these logs. The magic happens within the Logs panel itself. Instead of just seeing a wall of text, you can tell Grafana how to extract structured fields.
Here’s how you’d set it up:
- Add a Logs Panel: In your Grafana dashboard, add a new panel and select "Logs" as the visualization type.
- Configure Data Source and Query: Choose your log data source and write a query that returns the log lines. For Loki, this might look like
{job="my-service"}. - Enable Field Parsing: In the panel’s options (usually on the right-hand side), find the "Fields" or "Log details" section. You’ll see an option to "Parse fields."
- Define Parsing Rules: This is where you tell Grafana what to look for. You can add rules based on:
- JSON: If your logs are in JSON, Grafana can automatically parse them. Just enable "JSON" parsing. It will then present you with a list of fields found in the JSON (like
level,message,user_id). - Logfmt: For logfmt formatted logs (e.g.,
level=info msg="User logged in" user_id=abc123), enable "Logfmt" parsing. - Regex: For unstructured or custom formats, you can use regular expressions. For example, to extract a user ID from a line like
INFO: User abc123 logged in., you might use the regexUser (\w+) logged in. You’d then map the captured group(\w+)to a field name likeuser_id. - Grok: Similar to regex, Grok provides pre-defined patterns for common log formats (e.g., Apache, Syslog).
- JSON: If your logs are in JSON, Grafana can automatically parse them. Just enable "JSON" parsing. It will then present you with a list of fields found in the JSON (like
Once parsed, the extracted fields appear as clickable elements in the log lines. You can then:
- Filter: Click on a field value (e.g.,
user_id="abc123") to add a filter to your query, showing only logs with that specific value. - Visualize: Use the extracted fields as labels for time-series graphs or in table panels. For instance, you could create a graph showing the count of logs by
level. - Sort: Sort log lines by a specific extracted field.
The mental model here is that Grafana isn’t just a display; it’s an active interpreter for your log data. It takes raw, often unstructured, text and, based on your instructions, breaks it down into discrete, queryable data points. This transforms logs from a simple archival system into a rich source of operational intelligence. The key is that the parsing happens client-side in your browser after the logs are fetched, meaning your log aggregation system (like Loki) doesn’t necessarily need to be aware of these specific fields for Grafana to use them.
What most people miss is that the "Regex" and "Grok" parsers in Grafana’s Logs panel support named capture groups, which significantly simplifies mapping extracted data to meaningful field names. Instead of relying on positional capture groups, you can define (?P<field_name>...) within your regex. For example, a regex like User (?P<user_id>\w+) logged in directly assigns the captured username to the field user_id, making the configuration much more readable and robust.
After successfully parsing and displaying fields, the next logical step is to leverage these fields for more complex querying and aggregation within your data source itself, rather than solely relying on client-side parsing for filtering.