In Splunk query for searching text in log message is like ('condition 1' AND 'condition 2') OR ('condition 3'). How can the same be achieved in Grafana Loki/LogQL?
I tried using below query in Grafana and it works for AND condition only
{k8s_container_name="container"}
| json
| line_format `{{.body}}`
| json
|= `condition 1`
|= `condition 2`
Need suggestion how to add an OR block for condition 3 to above query
There is no general solution for or in stream selectors.
In this specific case, though, your goal can be accomplished with following query:
{k8s_container_name="container"}
| json
| (body =~ `.*condition 1.*` and body =~ `.*condition 2.*`) or body =~ `.*condition 3.*`
| line_format `{{.body}}`
| json
Here instead of line filter expressions I use label filter. They can be grouped using and and or. For more information see documentation for label filter expressions.
Note also, that =~ and !~ regex operators are fully anchored. That why all the .* needed in the expressions.
In more broader situation, as far as I know, you cannot apply or over |= operator. The best what can be done is using |~ instead, with logic incorporated into regex.
In your example, expression will be like this:
|~ `condition1.*condition2|condition2.*condition1|condition3`