How to query content of a JSON subfield in Loki Grafana

Hi all.

I have some logs that once I found them in Grafana with a loki query looks like this:

{
“@timestamp”: “2024-03-24T21:56:23.065Z”,
“log.level”: “INFO”,
“process.thread.name”: “xxxxxxxx”,
“message”: “Missing name attribute on …”,
“log.logger”: “com.miapp”,
“labels”: {
“ClientId”: “7F6GJEK8F473JFI3JF38434939KF3940”,
“ExecutionContextId”: “w83744w5-k3g5-7u12-k551-br83jh58am41”,
“Path”: “/one/user/dealers”,
“Principal”: “xxxxxx”,
“RemoteAddr”: “”,
“Source”: “zz-yy-xx”,
“Office”: “MiOffice_Madrid”
}
}

I’ve manage to query filtering by ‘application’ label and JSON ‘message’ field
I can do this like this:

{application=“nc2”} | json | message =~ .*Missing.*

But I’m trying to create a chart pie that groups by the different values of the ‘labels.office’ field.

Can someone please tell me how can I refer to the values of that subfield ‘labels.office’?

Thanks a lot in advance and regards.

Carlos T.

See Metric queries | Grafana Loki documentation for metrics query and aggregation on labels.

If your example it would be something like this (not tested):

sum by (Office) count_over_time({SELECTOR} | json [$__interval])

Indeed Tony.

First of all thank you for your answer and sorry for not replying earlier.

This is what I did at the end:
topk(10, sum by(json_Label1) (count_over_time({application=“asd”, filename=“/pathto/whatever.log”,env=~“$environment”, instance != “myhost”} | json | log_level =“ERROR” | json_Label1 != “” [$interval]))).

So, it is what you suggested with extra filters and staff that turned out to be neccessary in my case.
That, worked.

image1258×251 15.8 KB

Thx again