SigSentrySigSentry
Log Sources

Grafana Loki

Connect a self-hosted Loki instance or Grafana Cloud Logs to SigSentry

The Loki adapter uses LogQL to query during analyses. It supports self-hosted Loki, Grafana Cloud Logs, and any compatible Loki gateway.

Prerequisites

NeedNotes
A reachable Loki URLe.g. http://loki.internal:3100 or a Grafana Cloud endpoint
Bearer tokenOptional — required if Loki is behind auth or you're using Grafana Cloud
Org IDOptional — required only for multi-tenant Loki deployments
LogQL queries or label selectorsAt least one to scope queries

Setup walkthrough

Confirm the Loki URL is reachable

Loki must be reachable from SigSentry's API. For self-hosted on a private network, this means either making it publicly addressable (behind auth) or running SigSentry self-hosted in the same VPC.

Test from anywhere with:

curl https://your-loki-url/ready

If it returns ready, you're good.

Get a bearer token (if needed)

For Grafana Cloud: under your stack's Connections → Data sources → Loki, copy the URL and generate an access policy token with logs:read.

For self-hosted Loki with auth: generate the token your auth proxy expects (Basic auth header value, JWT, etc).

For unauthenticated Loki: skip this step.

Add the log source in SigSentry

Project → Log Sources → Add log source. Pick Grafana Loki and name it loki-prod or similar.

Enter connection details

FieldValue
HostLoki URL, e.g. https://loki.example.com:3100
API keyBearer token (optional)
Org IDMulti-tenant org ID (optional) — sent as X-Scope-OrgID

Define your queries / label selectors

Paste LogQL label selectors or job patterns into the Sources field, one per line:

{job="checkout-api"}
{namespace="prod", app="billing-worker"}
{cluster="us-east-1", service="api-gateway"} |= "error"

You can use any valid LogQL label selector syntax. Each line is queried independently per analysis.

Test and save

Click Test connection — you should see Connected plus sample lines from a small recent window. Click Save.

What you'll see in results

Each Loki log line shown in an analysis includes:

  • Timestamp
  • Log level (from level / severity labels, or parsed from the message)
  • Service name (from job, app, service, container, or namespace labels)
  • Message
  • All Loki labels carried through as metadata

Quirks

QuirkNotes
Multi-tenantSet Org ID for any deployment using X-Scope-OrgID (e.g. Grafana Enterprise Logs, Grafana Cloud)

Troubleshooting

ErrorFix
401 UnauthorizedBearer token missing or invalid
404 Not FoundURL likely wrong (missing port?) or Loki not running
Empty results despite log activityLabel selector doesn't match — verify in Grafana Explore
Org ID errorsMulti-tenant Loki requires X-Scope-OrgID; provide one

Datadog

Connect Datadog Logs to SigSentry using API and Application keys

Splunk

Connect Splunk Enterprise or Splunk Cloud to SigSentry using a search head and authentication token

On this page

Prerequisites
Setup walkthrough
Confirm the Loki URL is reachable
Get a bearer token (if needed)
Add the log source in SigSentry
Enter connection details
Define your queries / label selectors
Test and save
What you'll see in results
Quirks
Troubleshooting