Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Logsbreadcrumb arrow Delete unwanted information in log lines
Grafana Cloud

Delete unwanted information in log lines

In the event that sensitive, private, or unwanted information is added to your logs, you can use LogQL to create a query that identifies specific content to delete, and use the Loki API to delete those log lines. For example, you can create a query that matches all log lines that contain ten-digit numbers of the format XXX-XXX-XXXX over the last two days, to remove phone numbers that were accidentally published to your logs. When you’ve verified your query matches the lines you want to remove, you’ll send that query to the Loki API delete endpoint. As soon as you submit the log deletion request, the log data is filtered so that it is no longer available to be searched. The actual deletion is performed in batches as a background task every 24 hours. For more information on working with LogQL, refer to LogQL: Log query language in the Loki documentation.

In order to use the delete endpoint, you must supply a token for an access policy that grants logs deletion access. To create the needed access policy and token, you must use the Grafana Cloud Access Policies API or contact Support to install the Grafana Cloud Access Policy plugin in your Grafana stack.

Note

Log deletion is meant to scrub logs of unwanted content, not to reduce log usage and billing. Deleting logs after they’ve already been ingested does not affect usage volume. To learn how to control log usage, refer to Analyze log costs with Grafana Explore.

Configure an access policy and create a token

You must configure an access policy with log delete privileges and a token for that access policy to access log deletion endpoints. For more information on access policies, refer Grafana Cloud Access Policies.

Before you begin

You will need the following information to use the Grafana Cloud API:

  • Stack URL
  • Stack user ID

This information is available in your Grafana Loki Data Source settings. To find these settings:

  1. Go to the Cloud Portal, and click Details on the tile for the stack you want to work in.
  2. Click Details on the Loki tile.
  3. Make a note of your URL and your user ID number. These replace the <STACK-URL> and <STACK-USER-ID> placeholders in the API calls.

Configure an access policy and token

The following steps are for use with the Grafana Cloud Access Policy plugin. To create an access policy and token using the Grafana Cloud API, refer to Create an access policy and Create a token in the Grafana Cloud API reference. Only users with the Admin role can configure access policies and tokens.

  1. In your Grafana Cloud stack, click Configuration (gear icon).
  2. Click the Cloud access policies tab.
  3. Click Create access policy.
  4. Enter a name for the access policy.
  5. In the Resources column, for logs, select Delete.
  6. Select Create access policy to add the access policy.
  7. Select Add token to create a token for that access policy. This replaces the <API-TOKEN> placeholder in the following API calls.

Use the Loki DELETE API call

Use the following endpoints to manage log line deletion. For more information on Loki DELETE API reference, see the Compactor section in the Loki HTTP API reference.

Caution

When a delete request is executed, the change is permanent. You can’t restore deleted log lines.

Log line deletion requests

Use the following endpoint to delete log lines:

bash
POST /loki/api/v1/delete

For example, the following call uses a Loki query with a regexp to delete all log lines with timestamps between start-time-unixtimestamp and end-time-unixtimestamp that contain strings formatted like credit card numbers.

curl
curl -v -G -X POST 'https://<STACK-URL>/loki/api/v1/delete' \
	--data-urlencode 'query={system="creditcardpayments"} | regexp "msg=txn complete; purchase on card (?P<card-number>[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}) accepted"' \
	--data-urlencode 'start=<start-time-unixtimestamp>' \
	--data-urlencode 'end=<end-time-unixtimestamp>' \
	-u "<STACK-USER-ID>:<API-TOKEN>"

Log deletion request list

To get a list of requested deletions:

bash
GET /loki/api/v1/delete

For example:

curl
curl 'https://<STACK-URL>/loki/api/v1/delete' -u "<STACK-USER-ID>:<API-TOKEN>"

Request cancellation

To request cancellation of a deletion request before it is processed:

bash
DELETE /loki/api/v1/delete

For example:

curl
curl -X DELETE 'https://<STACK-URL>/loki/api/v1/delete?request_id=<request_id>' -u `<STACK-USER-ID>:<API-TOKEN>`