x
Loki Cribl Stream

Enhancing Log Analytics in Loki with Cribl Stream

February 20, 2024

First, when I mention Loki, I’m not talking about one of my favorite TV shows to binge-watch or the lead character played by Tom Hiddleston, who has arguably become one of my favorite characters in the Marvel universe. I’m talking about the Loki, which is a highly available, cost-effective log aggregation system that was inspired by Prometheus. While Prometheus is focused on metrics, Loki is focused on collection of logs. Its ability to efficiently collect, store, and query logs makes it an asset for DevOps teams. I guess that makes it a favorite character in the Grafana universe.

A key aspect of Loki’s functionality is its use of labels, which are metadata tags associated with log entries. These labels provide additional context and structure to log data, enabling users to filter, search, and analyze logs based on specific criteria. Labels can be attached to log entries based on attributes such as application name, environment, deployment version, etc.

By utilizing labels effectively in Loki, users can gain deeper insights into their application’s behavior and quickly identify issues. Labels can help users correlate logs from different sources, or they can also help correlate logs to metrics and traces.

Sounds powerful to me. Maybe labels can’t help you jump to different timelines (spoiler alert), but they CAN help you jump from logs to time series data in Prometheus. That was a bit of a reach, but you get the point.

That said, manually attaching labels to log entries is tedious and time-consuming. This is where Cribl Stream comes into the picture. Cribl Stream can extract fields from various sources, such as application logs, metrics, and events, and dynamically apply relevant labels to log entries. This can save time and effort and ensure that the labels are consistent and accurate.

Slap A Label on It

Labels tend to be bad if we are talking about people, but when we are talking about labeling data to provide context to your logs in Loki, it’s a good thing! You will want to be mindful of creating too many labels or using labels with many unique values. This can cause cardinality issues for Loki. High cardinality can be costly and slow in Loki, so put some thought into your labels. Static labels like host or application can be suitable, but dynamic labels should be considered more.

Let’s apply labels to your logs in Cribl Stream. In many situations, there is more than one way to accomplish things with Stream. For this example, we are using the following data and several fields that we are parsing out. We will utilize a few of these fields for setting our labels.

A screenshot of a computer Description automatically generated

It’s About the Journey

One way to add labels to your logs is in the pipeline, as your data travels through Cribl Stream. We accomplish this using an Eval function. Add an array called __labels in the Evaluate Fields section and set your labels appropriately.

A screenshot of a computer Description automatically generated

Fields that begin with an __ in Cribl Stream are typically internal fields that aren’t sent to a destination; however, in this case, Loki will process this array and turn the fields into labels.

Or Is It About the Destination

The other way to add labels in Loki via Cribl Stream is at the Destination. In the Post Processing section of the Loki Destination configuration, you will notice a System fields field. You can add fields to this list that you want to be converted to labels on the Loki side.

A screenshot of a computer Description automatically generated

Which Way Do I Go

Which method you choose to add labels to your logs depends on what makes sense. Labels that show consistently throughout the data could be set in the Loki Destination. But it could also make sense to do them in the pipeline instead. If you have a situation where the data may vary, and different events might have different labels associated with them, you will want to do that in the pipeline. The good news is you have some choice and control.

The End Results

Pretty straightforward, isn’t it? Once you have your data routed through your pipeline and off to the Loki destination, you can use Loki to search your data and view those labels using the Label Browser.

A screenshot of a computer Description automatically generated

A screenshot of a computer Description automatically generated

Summary

Now that you know how Cribl Stream can help, you can start unlocking deeper insights and efficient analysis in Loki. For more information on labels and Loki, Grafana has several blogs and resources on the topic. Be sure to check those out.


 

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a generous free usage plan across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started. We also offer a hands-on Sandbox for those interested in how companies globally leverage our products for their data challenges.

.
Blog
Feature Image

Cribl and CrowdStrike Partner to Transform Data Management for SIEM Solutions

Read More
.
Blog
Feature Image

Mastering Tail Sampling for OpenTelemetry: Cost-Effective Strategies with Cribl

Read More
.
Blog
Feature Image

The Stream Life Podcast 110: Microsoft Azure + Cribl – Better together

Read More
pattern

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.

box

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?