Hello everyone,
We have encountered an issue with a dashboard we’ve been using for monitoring user logins through log analysis. The objective is to identify users whose sessions are being terminated, indicating a logout event. Previously, we achieved this with the following LogQL query (the real command is more complex and allows filtering, this is a minimized demo):
count_over_time({app="log"} | json u="UserAccountId",s="SessionKey" | label_format user=u,session=s [$__interval]) >= 2
This query accurately filtered users whose session keys changed. The condition >= 2 is crucial, as the overall number of logs exceeds 500, while only a few users actually log out.
This setup worked seamlessly until we upgrade to Loki version 3. The query fails in versions 3.0.0, 3.0.1, 3.1.2, and 3.3.2, despite functioning perfectly in versions up to 2.9.11. The tests were conducted under the same data and time intervals across versions. When executing the query in versions prior to 3.0.0, everything operates as expected, but for versions 3.x.x, we encounter the error: “maximum of series (500) reached for a single query.”
While temporarily resolved by increasing max_query_series to 50000, we are concerned that doing so may result in inefficient queries consuming excessive resources or potentially causing system instability.
Could you please investigate this issue or suggest alternative solutions? Your guidance would be greatly appreciated.
Thank you for your attention to this matter.
Best regards,
Jindrich Krivohlavek