Migrate from Grafana Loki
Migrate from Grafana Loki to LogTide for built-in alerting, SIEM capabilities, and richer full-text search without needing separate tools for visualization and alerting.
Why Migrate from Loki?
Built-in Alerting
Loki requires Prometheus AlertManager or Grafana Alerting for alerts. LogTide has native alert rules with email/webhook support.
True Full-text Search
Loki uses label-based indexing with limited search. LogTide indexes log content for fast full-text search.
All-in-One Solution
No need for Grafana, Prometheus, or AlertManager. LogTide includes UI, alerting, and SIEM in one package.
Security Detection
Loki is pure log aggregation. LogTide includes Sigma rules, incident management, and MITRE ATT&CK mapping.
Feature Comparison
| Feature | Grafana Loki | LogTide |
|---|---|---|
| Log Ingestion | Promtail, Fluent Bit | HTTP API, SDKs, OTLP |
| Query Language | LogQL | REST API + Full-text |
| Full-text Search | Limited (regex only) | Indexed |
| Indexing Strategy | Labels only | Labels + Content |
| Built-in Alerting | Requires Grafana | Native |
| Built-in UI | Requires Grafana | Included |
| Sigma Rules | No | Built-in |
| Incident Management | No | Built-in |
| OpenTelemetry | Yes | Native OTLP |
| Real-time Streaming | Tail queries | SSE |
| Pricing | Open-source | Open-source |
Step 1: Deploy LogTide
See the Deployment Guide for full instructions:
# Clone LogTide
git clone https://github.com/logtide-dev/logtide.git
cd logtide/docker
# Configure
cp .env.example .env
# Edit .env with your settings
# Start
docker compose up -d
# Verify
curl http://localhost:8080/healthCreate your organization and project via the UI, then generate an API key.
Step 2: Replace Promtail with Fluent Bit
Promtail is Loki's log shipper. Replace it with Fluent Bit to send logs to LogTide:
# promtail-config.yaml
server:
http_listen_port: 9080
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: app
static_configs:
- targets:
- localhost
labels:
job: app
__path__: /var/log/app/*.log# fluent-bit.conf
[SERVICE]
Flush 1
Log_Level info
[INPUT]
Name tail
Path /var/log/app/*.log
Tag app
[OUTPUT]
Name http
Match *
Host logtide.internal
Port 8080
URI /api/v1/ingest
Format json
Header X-API-Key lp_xxxDocker Compose Example
# docker-compose.yml
services:
fluent-bit:
image: fluent/fluent-bit:4.2.2 # For ARM64: cr.fluentbit.io/fluent/fluent-bit:4.2.2
volumes:
- ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
- /var/log:/var/log:ro
environment:
- LOGTIDE_API_KEY=lp_your_api_key
depends_on:
- logtideStep 3: Query Migration (LogQL to LogTide)
LogQL queries translate to LogTide REST API parameters:
| LogQL | LogTide API |
|---|---|
{job="api"} | GET /api/v1/logs?service=api |
{job="api"} |= "error" | GET /api/v1/logs?service=api&level=error |
{job="api"} |~ "timeout|connection" | GET /api/v1/logs?service=api&q=timeout |
{job="api"} | json | Auto (metadata is JSON) |
count_over_time({job="api"}[5m]) | GET /api/v1/logs/aggregated?interval=5m |
Key Difference: Full-text Search
Loki requires regex patterns (|~) to search log content because
it doesn't index log bodies. LogTide indexes everything, so you can search
any text with the q parameter without regex overhead.
Step 4: Create Alert Rules
Loki alerting requires Grafana or Prometheus AlertManager. LogTide has native alerts:
Loki (via Grafana) # Grafana alert rule
groups:
- name: app-alerts
rules:
- alert: HighErrorRate
expr: |
sum(rate({job="api"}
|= "error" [5m])) > 10
for: 5m
labels:
severity: critical
annotations:
summary: High error rate
LogTide Alert Rule {
"name": "High Error Rate",
"enabled": true,
"service": "api",
"level": ["error"],
"threshold": 50,
"timeWindow": 5,
"emailRecipients": [
"[email protected]"
],
"webhookUrl": "https://hooks.slack.com/..."
}
Create alerts via the LogTide UI at /dashboard/alerts or via the API.
Step 5: Enable SIEM Features
LogTide includes SIEM capabilities that Loki doesn't have:
Security Features in LogTide
- Sigma Rules: Import threat detection rules from SigmaHQ
- Incident Management: Track, assign, and resolve security incidents
- MITRE ATT&CK: Map detections to attack techniques
- SIEM Dashboard: Security-focused visualizations
Access the SIEM dashboard at /dashboard/security.
Concept Mapping
Loki Term LogTide Equivalent Notes Tenant Organization / Project Multi-tenancy via projects Labels service + metadata service is indexed, extra fields in metadata Stream Service One label set = one service Promtail Fluent Bit / SDK Use Fluent Bit or application SDK LogQL REST API params Simpler query syntax Grafana LogTide UI Built-in web interface Grafana Alerting Alert Rules Native alerting, no external tools N/A Sigma Rules + SIEM LogTide exclusive
Common Issues
High cardinality labels
Loki has strict label cardinality limits. LogTide is more flexible -
use the service field for core identity and put variable
data in metadata JSON (not indexed, no cardinality issues).
Missing Grafana dashboards
LogTide doesn't have Grafana-style custom dashboards yet.
Use the SIEM dashboard for security metrics. For custom visualizations,
you can query the LogTide API from external tools.
Log parsing differences
Loki uses pipeline stages (| json, | logfmt).
LogTide expects JSON logs - structure your logs in your application
or use Fluent Bit parsers before sending.
Next Steps