Intro

By Owen Diehl

May 22, 2022

What is Loki?

Loki is an open source log aggregator with a narrow focus: to help you understand your applications. It’s built for the needs of software operators and has been continuously refined in the course of scaling Grafana Labs. It’s the tool we built for ourselves, seamlessly integrating with open source tools. It is cloud first, Kubernetes first, Prometheus first.

In other words, Loki is a time series database for strings.

What are time series?

Time series are an event occurring at a specific time. In our case, these are log lines and most of Loki’s internal structure can be simplified to (timestamp, log line) events. These are then grouped by their source via labels (key, value pairs) that denote where the came from.

# These logs belong to a frontend webserver
# in the dev environment of the us-east region
{app="frontend", environment="dev", region="us-east"}
2022-05-09:14:00:00 => "frontend starting"
2022-05-09:14:00:01 => "setup complete"
2022-05-09:14:00:01 => "frontend available"
2022-05-09:14:00:02 => "served /asset/foo (200)"

# These logs belong to an API server
# in the prod environment of the same region
{app="api", environment="prod", region="us-east"}
2022-05-09:14:00:00 => "api starting"
2022-05-09:14:00:00 => "setup complete"
2022-05-09:14:00:00 => "api available"
2022-05-09:14:00:00 => "served GET /users/1 (200)"

On the surface, time series log data can answer What were the logs while my application was suffering?, but this is just scratching the surface. It can also answer what percentage of requests were errors over this same period, did we see latency problems corresponding to the new app version or what part of our API is accessed the most. Anything that we log can be turned into values, manipulated, graphed over time, and compared with other metrics. Want to know if our errors subsided as soon as your cloud provider came back online? Easy.

How does it work?

Loki carefully chooses where to be simple and where to be complex. With Loki,

Loki accepts logs from anywhere, in any format: the only data-type we store is a string. Logs can be unstructured, semi-structured, or richly-structured and operators should never deal with the headache of setting up or migrating database schemas. Different teams logging in different formats? Migrating to Loki in pieces? No problem.
Zero-downtime upgrades and seamless backwards compatibility: Loki can be incrementally upgraded, taking advantages of optimizations as they’re released without losing old data.
Built on object storage: it’s incredibly cheap and durable. Without database schemas, there’s no need for memory-hungry machines serving data. Loki compresses logs in storage and scalably queries it across commodity hardware to do more with less.

Loki is not just a technical choice, but a philosophical one. Yes, it’s built for Petabyte scales, but it’s also built for the startups, the hackers, the makers. Loki tries to solve hard problems internally so it can present operational simplicity on the outside.