# Logs in Explore
<a name="v9-explore-logs"></a>

****  
This documentation topic is designed for Grafana workspaces that support **Grafana version 9.x**.  
For Grafana workspaces that support Grafana version 12.x, see [Working in Grafana version 12](using-grafana-v12.md).  
For Grafana workspaces that support Grafana version 10.x, see [Working in Grafana version 10](using-grafana-v10.md).  
For Grafana workspaces that support Grafana version 8.x, see [Working in Grafana version 8](using-grafana-v8.md).

Along with metrics, Explore allows you to investigate your logs in the following data sources:
+ [OpenSearch](using-opensearch-in-AMG.md)
+ [InfluxDB](using-influxdb-in-AMG.md)
+ [Loki](using-loki-in-AMG.md)

During an infrastructure monitoring and incident response, you can dig deeper into the metrics and logs to find the cause. Explore also allows you to correlate metrics and logs by viewing them side-by-side. This creates a new debugging workflow.

1. Receive an alert.

1. Drill down and examine metrics.

1. Drill down again and search logs related to the metric and time interval (and in the future, distributed traces).

## Logs visualization
<a name="v9-explore-logs-viz"></a>

Results of log queries are shown as histograms in the graph and individual logs are explained in the following sections.

If the data source supports a full range log volume histogram, the graph with log distribution for all entered log queries is shown automatically. This feature is currently supported by OpenSearch and Loki data sources.

**Note**  
In Loki, this full range log volume histogram is rendered by metric query which can be expensive depending on time range queried. This query can be particularly challenging for smaller Loki installations to process. To mitigate this, we recommend using a proxy like [nginx](https://www.nginx.com/) in front of Loki to set a custom timeout (e.g. 10 seconds) for these queries. Log volume histogram queries can be identified by looking for queries with the HTTP header `X-Query-Tags` with value `Source=logvolhist`; these headers are added by Grafana to all log volume histogram queries.

If the data source does not support loading full range log volume histogram, the logs model computes a time series based on the log row counts bucketed by an automatically calculated time interval, and the first log row’s timestamp then anchors the start of the histogram from the result. The end of the time series is anchored to the time picker’s **To** range.

**Log level**

For logs where a level label is specified, Grafana uses the value of the label to determine the log level and update color accordingly. If the log doesn’t have a level label specified, it tries to find out if its content matches any of the supported expressions (see below for more information). The log level is always determined by the first match. In case Grafana is not able to determine a log level, it will be visualized with an unknown log level.

**Tip**  
If you use Loki data source and the `level` is in your log-line, use parsers (JSON, logfmt, regex,..) to extract the level information into a level label that is used to determine log level. This will allow the histogram to show the various log levels in separate bars.

**Supported log levels and mapping of log level abbreviation and expressions:**


| Supported expressions | Log level | Color | 
| --- | --- | --- | 
| emerg | critical | purple | 
| fatal | critical | purple | 
| alert | critical | purple | 
| crit | critical | purple | 
| critical | critical | purple | 
| err | error | red | 
| eror | error | red | 
| error | error | red | 
| warn | warning | yellow | 
| warning | warning | yellow | 
| info | info | green | 
| information | info | green | 
| notice | info | green | 
| dbug | debug | blue | 
| debug | debug | blue | 
| trace | trace | light blue | 
| \$1 | unknown | grey | 

## Logs navigation
<a name="v9-explore-logs-nav"></a>

The logs navigation interface, next to the log lines, can be used to request more logs. You can do this by selecting the **Older logs** button on the bottom of navigation. When you hit the line limit and you want to see more logs, you can use this to fetch more logs. Each request is displayed in the navigation as a separate page. Every page shows the from and to timestamp of the incoming log lines. You can see previous results by clicking on the page to view. Explore caches the last five requests run from the logs navigation, so it does not re-run the same query when clicking on those pages.

## Visualization options
<a name="v9-explore-logs-vis-options"></a>

You can customize how logs are displayed and select which columns are shown.

**Time**

Shows or hides the time column. This is the timestamp associated with the log line as reported from the data source.

**Unique labels**

Shows or hides the unique labels column that includes only non-common labels. All common labels are displayed above.

**Wrap lines**

Set this to True if you want the display to use line wrapping. If set to False, it will result in horizontal scrolling.

**Prettify JSON**

Set this to `true` to pretty print all JSON logs. This setting does not affect logs in any format other than JSON.

**Deduplication**

Log data can be very repetitive and Explore can help by hiding duplicate log lines. There are a few different deduplication algorithms that you can use:
+ **Exact** – Exact matches are done on the whole line except for date fields.
+ **Numbers** – Matches on the line after stripping out numbers such as durations, IP addresses, and so on.
+ **Signature** – The most aggressive deduplication, this strips all letters and numbers and matches on the remaining whitespace and punctuation.

**Flip results order**

You can change the order of received logs from the default descending order (newest first) to ascending order (oldest first).

**Labels and detected fields**

Each log row has an extendable area with its labels and detected fields, for more robust interaction. For all labels we have added the ability to filter for (positive filter) and filter out (negative filter) selected labels. Each field or label also has a stats icon to display statistics in relation to all displayed logs.

**Escaping newlines**

Explore automatically detects some incorrectly escaped sequences in log lines, such as newlines (`\n`, `\r`) or tabs (`\t`). When it detects such sequences, Explore provides an “Escape newlines” option.

Explore can automatically fix incorrectly escaped sequences that it has detected

**To automatically fix escape sequences**

1. Select **Escape newlines** to replace the sequences.

1. Manually review the replacements to confirm their correctness.

Explore replaces these sequences. When it does so, the option will change from **Escape newlines** to **Remove escaping**. Evaluate the changes as the parsing might not be accurate based on the input received. You can revert the replacements by selecting **Remove escaping**.

**Data links**

By using data links, you can turn any part of a log message into an internal or external link. The created link is visible as a button in the **Links** section inside the **Log details** view.

**Toggle field visibility**

Expand a log line and click the eye icon to show or hide fields.

## Loki-specific features
<a name="v9-explore-logs-loki"></a>

Loki is the open source log aggregation system from Grafana Labs. Loki is designed to be cost effective, as it does not index the contents of the logs, but rather a set of labels for each log stream. The logs from Loki are queried in a similar way to querying with label selectors in Prometheus. It uses labels to group log streams which can be made to match up with your Prometheus labels. For more information about Grafana Loki, you can see the [Grafana Loki](https://github.com/grafana/loki) Github.

For more information, see [Loki](using-loki-in-AMG.md) on how to query for log data.

**Switch from metrics to logs**

If you switch from a Prometheus query to a logs query (you can do a split first to have your metrics and logs side by side) then it will keep the labels from your query that exist in the logs and use those to query the log streams. For example, if you have the following Prometheus query:

```
grafana_alerting_active_alerts{job="grafana"}
```

after switching to the Logs data source, it will change to:

```
{job="grafana"}
```

This will return a chunk of logs in the selected time range that can be searched.

## Logs sample
<a name="v9-explore-logs-sample"></a>

If the selected data source implements logs sample, and supports both log and metric queries, then for metric queries you will be able to automatically see samples of log lines that contributed to visualized metrics. This feature is currently supported by Loki data sources.