Grafana: Search Logs
Availability
This workflow action is available on our Business and Enterprise for Incident Management pricing plans. Please contact our Sales Team to upgrade to an account with this action.
Description
Search and retrieve logs from Grafana Loki datasources using LogQL queries. This action queries your Grafana Loki logs within a specified time range and returns matching log entries along with their timestamps and labels.
During an incident, quick access to relevant logs is critical for identifying the root cause and understanding system behavior. The Grafana: Search Logs action enables your incident response team to automatically retrieve diagnostic data from your Grafana Loki logs as part of your incident workflow.
Common scenarios include:
- Error Investigation: Automatically pull error logs from affected services when an incident is triggered to understand what went wrong
- Performance Analysis: Retrieve logs showing slow queries, timeout errors, or resource constraints during performance incidents
- Security Events: Pull authentication logs, access logs, or security-related events for security incidents
- Correlation: Gather logs from multiple services to correlate events and identify cascading failures
- Documentation: Automatically capture relevant logs and attach them to the incident for post-incident review and analysis
By automating log retrieval, your team can focus on analysis and resolution rather than manually searching through log systems, reducing mean time to resolution (MTTR).
Instructions
- If you have not done so already, please follow our instructions to Create an Incident Workflow.
- When the instructions prompt you to add actions , select this action.
- Enter the following Inputs and then click Save. Continue following instructions to Publish the Workflow. When the action runs, you will see the Outputs listed below.
Inputs
Field References
Fields with the {+} icon accept Field References, which can be useful for referencing incident data or outputs created in prior workflow steps. To add Field References, click {+}, or enter
{{, and select relevant fields. Please see our Field References article for more information.
| Name | Description |
|---|---|
| Connection Input | Select a Grafana integration from the dropdown list. If you have not yet configured a Grafana integration, please see Grafana Integration for instructions. |
| Data Source | Select the Grafana datasource to query for logs. The dropdown will be populated with all available datasources from your connected Grafana instance. Typically, this will be a Loki datasource. |
| Query | The LogQL query string to search for logs. This follows Grafana Loki's LogQL syntax. Examples:- {service_name="api-gateway"} - All logs from api-gateway service |
| Start Time (optional) | The start time of the search range. Default: 5m (Past 5 Minutes). Choose from predefined relative times or enter a custom value.Options: 1m, 5m, 10m, 15m, 30m (minutes); 1h, 4h (hours); 1d, 2d, 7d, 14d, 30d (days). |
| Ent Time (optional) | The end time of the search range. Default: Now. Choose from predefined relative times or Now for the current time.Options: Now, 1m, 5m, 10m, 15m, 30m (minutes); 1h, 4h (hours); 1d, 2d, 7d, 14d, 30d (days). |
| Max Lines (optional) | The maximum number of log lines to return in the response. Default: 100.Range: 1 to 5,000. Use a lower number for faster responses; increase if you need more comprehensive log data. |
Outputs
| Name | Description |
|---|---|
| Logs | A JSON array containing the retrieved log entries. Each entry includes:timestamp: Unix timestamp in millisecondsmessage: The log line contentlabels: Object containing log labels (key-value pairs). Reference this field in subsequent actions to parse, filter, or display log data. |
| Log Count | The total number of log entries returned. Use this to determine if results were found or if you need to adjust your query or time range. |
| Query Used | The exact LogQL query string that was sent to Grafana. Useful for debugging or documentation purposes. |
| Time Range Start | The formatted start time used for the search (e.g., now-5m or Unix timestamp). |
| Time Range End | The formatted end time used for the search (e.g., now or Unix timestamp). |
| Search Duration | The API response time in milliseconds. Indicates how long the query took to execute. |
| Result | Value that shows if the action was successful or not. Either "Success" or "Failed." |
| Result Summary | Brief description of what the action did or if it failed. Example: "Successfully retrieved 42 logs." |
| Error | Brief description that is populated if the action failed. Example: "Failed to retrieve logs: Datasource not found." |
Examples
Here are some common LogQL query patterns you can use:
- Service-specific logs:
{service="user-service"}or{app="checkout"} - Filter by log level:
{service="api"} |= "ERROR"or{job="app"} |= "WARN" - Exclude patterns:
{service="web"} != "health-check" - Multiple filters:
{environment="prod", service="payments"} |= "failed" |= "transaction" - Namespace queries:
{namespace="kube-system"} or {pod=~"nginx-.*"} - Regex matching:
{service="api"} |~ "error|exception|fatal"
Tips
Start with a narrow time range: Use shorter time windows (1m-5m) for faster results, especially during active incidents.
Test your queries: Verify your LogQL queries in Grafana's Explore view before using them in workflows.
Adjust Max Lines: If you're not seeing expected results, increase the Max Lines parameter, but be aware this may slow response times.
Use specific labels: The more specific your label selectors, the faster and more relevant your results will be.
Combine with other actions: Use the Logs output with subsequent actions like "Add Note to Incident" to automatically document findings, or "Send Notification" to alert team members of specific log patterns.
Updated about 21 hours ago