How to use boolean and/or condition to check for specific message

Question

In Splunk query for searching text in log message is like ('condition 1' AND 'condition 2') OR ('condition 3'). How can the same be achieved in Grafana Loki/LogQL?

I tried using below query in Grafana and it works for AND condition only

{k8s_container_name="container"}
 | json
 | line_format `{{.body}}`
 | json
 |= `condition 1`
 |= `condition 2`

Need suggestion how to add an OR block for condition 3 to above query

Answer 1

There is no general solution for or in stream selectors.

In this specific case, though, your goal can be accomplished with following query:

{k8s_container_name="container"}
 | json 
 | (body =~ `.*condition 1.*` and body =~ `.*condition 2.*`) or body =~ `.*condition 3.*`
 | line_format `{{.body}}`
 | json

Here instead of line filter expressions I use label filter. They can be grouped using and and or. For more information see documentation for label filter expressions.

Note also, that =~ and !~ regex operators are fully anchored. That why all the .* needed in the expressions.

---

In more broader situation, as far as I know, you cannot apply or over |= operator. The best what can be done is using |~ instead, with logic incorporated into regex.

In your example, expression will be like this:

|~ `condition1.*condition2|condition2.*condition1|condition3`