I’m using Grafana 11, where the logs show Loki receiving HTTP requests, which can be queried in Grafana’s Explore page. The log content is straightforward, but when configuring alerts, I received a prompt stating that log queries do not support instant query type; they must be of range query type and require wide series data.
It’s the error.
Use metric query:
So you are not alertint on log content, but on log count (e. g. number of lines, which contain string critical). Then result is standard metric.
I try to configured:
(1)loki-config.yaml, added ruler params like this,172.16.100.138 is my IP.
ruler:
storage:
type: local
local:
directory: /loki/rules
rule_path: /loki/rules-temp
alertmanager_url: http://172.16.100.138:9093
enable_alertmanager_v2: true
ring:
kvstore:
store: inmemory
enable_api: true
(2)rulers yaml file, which both at /loki/rules and /loki/rules-temp ,the same dir in loki-config.yaml.
groups:
- name: run-log-alerts
rules:
- alert: RunLogAlert
expr: count_over_time({label="run_log"}[1m]) > 0
for: 0m
annotations:
summary: Run log detected
description: A log entry with label 'run_log' has been detected
After these setting, I pushed the post request like above, and It’s nothing happened in Alertmanager:9093 and loki logs.
Here is the result in grafana.
I don’t know where the configuration went wrong… 
Please use formated texts for config, code snippets, not images.
Ok , I edited the previous reply
you need to use aggregation. Something like count(rate({level=critical}[$_auto])) by (host)
Alerting does not support log lines as a result. Only time series.
