Start with a stream selector: {app="api", namespace="production"} to select relevant log streams
Apply a line filter expression | |= "ERROR" or | != "healthcheck" to narrow lines before expensive parsing stages
Use a JSON or logfmt parser | json or | logfmt to extract structured fields, then apply label_filter | level="error" on extracted fields
Build a metric query using rate() or count_over_time() wrapping the filtered stream to produce time series: rate({app="api"} | json | level="error" [5m])
Use unwrap with avg_over_time or quantile_over_time to compute aggregations on numeric fields extracted from log lines
Known gotchas
Adding many extracted labels (high cardinality per-stream) creates label cardinality issues in Loki; use line_format or keep_labels to limit label proliferation
LogQL metric queries require a vector selector range; too short a range ([1m] on infrequent logs) produces sparse or zero-value data points
The logfmt parser silently skips malformed entries; a mixed log format (some JSON, some plain text) in the same stream causes incomplete field extraction
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp