Presenters

• Poyzan
• Ben Clive
• Trevor Whitney
• Jason Nochlin

Source

• GrafanaCon 2026

Loki’s Evolution: From Log Files to Powerful Analytics 🚀

Hey tech enthusiasts! Ever felt like you’re drowning in log data, desperately searching for that one crucial piece of information? You’re not alone. The way we interact with logs has evolved dramatically, and the team behind Loki is at the forefront of this revolution. They recently unveiled a significant architectural overhaul for Loki, promising faster queries, deeper insights, and a more scalable, cost-effective solution. Let’s dive into the exciting changes!

The Journey of Log Aggregation: A Quick Look Back 🕰️

Poyzan, a key member of the Loki team, kicked off the session by tracing the lineage of log management:

• The Dark Ages (Phase 1): Imagine SSHing into servers, sifting through plain text files, hoping you’re in the right place. Not ideal!
• Early Aggregation (Phase 2): Centralizing logs on a dedicated server was a step up, but it hit a scaling wall.
• Loki’s Entrance (Phase 3): Loki disrupted the scene by introducing a revolutionary concept: not indexing every log line. This design choice made Loki incredibly easy to operate and cheaper to run, making it the backbone for observability in countless organizations. With over 30,000 stars and 400,000 deployments, Loki’s success is undeniable.
• The Structured Logging Era (Phase 4): Today, structured logging is the norm, with OpenTelemetry adoption accelerating. We’re now dealing with meaningful key-value pairs that represent infrastructure or business logic.

Why the Change? New Demands, New Challenges 💡

Despite its massive success, Loki’s original design, optimized for its initial trade-offs, is now facing new challenges as the scale and complexity of queries increase. Poyzan highlighted four key bottlenecks:

1. Write Path Overload: The initial design had a tight coupling between read and write paths, leading to operational bottlenecks.
2. Dimension Explosion: Modern queries require analyzing multiple dimensions (key-value pairs) from every log line. Loki’s current architecture often parses the entire log line, even when only a small fraction is needed, leading to significant wasted effort (up to 97% of the log message might be unnecessary for a specific query!).
3. The Needle in the Haystack Problem: Searching for a specific log line without any directional clues (“needle in a haystack” queries) is inherently slow.
4. Read/Write Coupling: The original design served reads from memory for high availability. However, at scale, heavy queries could impact write performance and even cause ingestors to slow down or fail.

The New Architecture: Unpacking the Solutions 🛠️

The Loki team is tackling these challenges with a four-pronged approach:

1. Revolutionizing the Write Path with Kafka ✍️

Poyzan introduced the new write path, integrating Kafka to decouple read and write operations.

• Key Benefits:
  • Write Isolation: Complete separation of read and write paths without compromising high availability.
  • Data Durability and Replay: Kafka enables data replay, ensuring data is processed once and exactly once.
  • Uniform Workloads: Partitioning by volume (instead of hash ID) leads to more balanced ingestor workloads.
  • Cost Efficiency: Eliminating deduplication at query time and optimizing data replication can lead to up to 30% cost reduction in large clusters.
• Trade-off Acknowledged: While adding Kafka introduces operational complexity, the team believes it’s a justified trade-off for the enhanced scale and efficiency.

2. Columnar Format and a New Query Engine: Faster Analytics 📊

Ben Clive and Trevor Whitney dove deep into the query path, revealing the impact of a new columnar storage format called DataObjects and a revamped query engine.

• The Problem with Chunks: Loki’s current chunk-based storage intersperses log lines with metadata. This forces the engine to download and process all data, even if only a small portion is needed for a query. A typical chunk contains about 8MB of uncompressed data, with only 200-300KB being non-log data (timestamps, metadata).
• Enter DataObjects: This new columnar format stores timestamps and metadata in contiguous blocks, allowing for independent processing.
• Query Engine Enhancements:
  • 20x Less Data Scanned & 10x Faster Queries: These are the headline improvements for business-insight-driven queries.
  • Comprehensive Query Planning: The new engine creates detailed logical and physical plans, pushing optimizations down to the scan nodes.
  • Selective Scanning: By detecting predicates early, the engine filters data at the source, processing only the dimensions needed for a specific query.
  • Columnar Advantages: DataObjects leverage various encoding and compression strategies (up to 1000x column compression), support sparse columns, and offer paged access for efficient memory management.
• Impact: This means queries that previously took minutes or hours can now complete in seconds, unlocking powerful analytical capabilities.

3. Accelerating “Needle in a Haystack” Searches 🧲

Jason Nochlin addressed the challenge of finding specific log lines within massive datasets.

• The Indexing Dilemma: Traditionally, indexing large-scale logs involved a trade-off between low-cost, easy-to-operate solutions (like Loki) and expensive, fully indexed systems.
• Beyond Bloom Filters: While Bloom filters are probabilistic data structures, scaling them for logs led to high storage overhead, expensive queries, and poor object storage compatibility.
• Logline’s Innovation: Jason’s previous startup, Logline, developed a novel solution that Grafana acquired. This technology is now powering a new index for Loki.
• Key Features of the New Index:
  • Low Cost Overhead: Less than 20% storage overhead.
  • High Precision: Focused on essential identifiers (UUIDs, IPs) and excludes redundant data like timestamps.
  • Object Storage Native: Builds index files uploaded to object storage, enabling efficient range reads directly.
  • Predictable Lookup Costs: Query cost is proportional to the query size in time, not the total data size.
• Integration: The system detects expensive queries and uses the new index to quickly identify likely matches, which are then processed by the new columnar storage engine. This drastically reduces the data scanned, turning a 3.5 terabyte scan with client timeouts into finding a UUID within a few seconds by scanning only 8 gigabytes.

The Future is Here (and It’s Open Source!) 🌐

The team emphasized that these advancements are being made available in the open-source Loki repository.

• Monolithic vs. Distributed: For users running single-binary Loki, Kafka is not required. However, for distributed deployments, Kafka is the new orchestration mechanism, offering significant scalability and cost benefits (30% cost reduction at equivalent scale).
• Migration Tools: Tools are available in the open-source repository to safely migrate and run the new architecture.
• Dual Query Engines: The architecture supports running both the old (chunk-based) and new (DataObjects) query engines in parallel, allowing for a smooth transition as older data ages out. A new component called Query T manages routing between these engines.
• Ongoing Development: Features like pre-parsing detected fields and addressing query ambiguity are still being worked on, promising even further improvements.

Loki is evolving from a tool for searching logs to a powerful platform for analyzing them, offering sub-linear query times and unlocking deeper insights from your data. Get ready for a more powerful, scalable, and cost-effective Loki experience! ✨

Appendix