DEV Community

Alex Spinov
Alex Spinov

Posted on

Grafana Loki Has a Free Log Aggregation System That Won't Bankrupt You

#grafana #logging #devops #monitoring

Elasticsearch is the default choice for log aggregation. It is also expensive, resource-hungry, and complex to operate.

Grafana Loki is the anti-Elasticsearch: it indexes only labels (not full text), stores logs in cheap object storage, and runs on a fraction of the resources.

Why Loki Wins on Cost

Elasticsearch Loki
Indexing Full-text (expensive) Labels only (cheap)
Storage Hot SSD required S3/GCS/MinIO
RAM per GB logs ~2-4 GB ~0.5 GB
Operational complexity High (shards, mappings) Low (just labels)
Monthly cost (1TB logs) $500-2,000 $50-200

Getting Started

1. Run Loki + Grafana 

# docker-compose.yml
version: "3"
services:
  loki:
    image: grafana/loki:latest
    ports:
      - "3100:3100"
    volumes:
      - ./loki-config.yml:/etc/loki/config.yaml
    command: -config.file=/etc/loki/config.yaml

  grafana:
    image: grafana/grafana:latest
    ports:
      - "3000:3000"
    environment:
      - GF_AUTH_ANONYMOUS_ENABLED=true
Enter fullscreen mode Exit fullscreen mode

2. Ship Logs with Promtail 

# promtail-config.yml
server:
  http_listen_port: 9080
clients:
  - url: http://loki:3100/loki/api/v1/push
scrape_configs:
  - job_name: containers
    docker_sd_configs:
      - host: unix:///var/run/docker.sock
    relabel_configs:
      - source_labels: [__meta_docker_container_name]
        target_label: container
Enter fullscreen mode Exit fullscreen mode

3. Query with LogQL 

# All errors from payment service
{service="payment"} |= "error"

# JSON parsing + filtering
{app="api"} | json | status >= 500

# Error rate as metric
sum(rate({app="api"} |= "error" [5m])) by (service)
Enter fullscreen mode Exit fullscreen mode

LogQL borrows from PromQL — if you know Prometheus, you already know Loki.

4. Alerting on Logs 

groups:
  - name: log-alerts
    rules:
      - alert: HighErrorLogRate
        expr: sum(rate({app="api"} |= "error" [5m])) > 10
        for: 5m
        annotations:
          summary: "More than 10 errors/sec for 5 minutes"
Enter fullscreen mode Exit fullscreen mode

The LGTM Stack (All Free)

  • Loki — Logs
  • Grafana — Dashboards
  • Tempo — Traces
  • Mimir — Metrics (Prometheus-compatible)

One ecosystem. One query language family. Zero licensing costs.

When to Use Loki vs Elasticsearch

Choose Loki when: Cost matters, you use Grafana, your team knows PromQL, you want simple operations.

Choose Elasticsearch when: You need full-text search across logs, complex text analytics, or you already have an ELK stack running well.

Need help building your observability stack or data pipelines? I specialize in monitoring infrastructure and data extraction. Reach out at spinov001@gmail.com or check my Apify tools.

Top comments (0)