How to group loki entries as time based series for modules

I would ideally like a visualization where I can see a per-day bar chart of failure provided by loki (via Serilog). The output that serilog is providing looks like the following:

{"Message":"Log message here","Level":"warning","SubField1":"Module1",SubField2:"Process1","SerialNumber":"123456",RunID:"<guid>"}

What I’m seeking is a graph that looks like the following:

Untitled843×478 4.16 KB

Each “Module” is the field in SubField1 (Ignore SubField2). Each day should be its own bar reflecting any “warning”, “error” or “fatal” returned from Serilog and applying to the count for the day (and of course reset to 0 for the next day). What I have so far is the following:

sum by (level) (count_over_time({ApplicationName="MyApp", ApplicationServer="$hostname"} | json | Level =~ `warning|error|fatal` | Message ~= `Acceptable.*|.*rebuild.*` | SubField` = `Module1` [$__range]))

The graph type is Range and Step is 1d (bars of course). While I can write 3 individual queries for the 3 modules, is there a way to do this more efficiently? Is the code even correct for what I am trying to accomplish?

How about this?

sum by (level, SubField1) (count_over_time(
  {ApplicationName="MyApp", ApplicationServer="$hostname"}
    | json
    | Level =~ `warning|error|fatal`
    | Message ~= `Acceptable.*|.*rebuild.*`
  [$__range]
))

@tonyswumac I just tried that and this was my output:

2024-10-28 19_38_56-Powermill Dev1084×350 16.4 KB

Thoughts on what I’m missing? Step is blank and type is set to Range.

If you want a bar for each day, try this:

1. In your graph, change graph style to bar.
2. In your graph’s query options, set minimum interval to 1d.