PluginsPlugin GrafanaGrafana Loki

Trigger​Trigger

Trigger a flow when a Loki query returns new results

Polls Loki at regular intervals with a LogQL query and triggers a flow execution when new log entries matching the query are found. The trigger maintains state to track processed logs and only fires on new entries. Ideal for SecOps, SOAR, alerting, and monitoring use cases.

yaml
type: "io.kestra.plugin.grafana.loki.Trigger"

Trigger on security alerts

yaml
id: security_alert_handler
namespace: security

tasks:
  - id: handle_alert
    type: io.kestra.plugin.core.log.Log
    message: "Security alert: {{ trigger.count }} new entries detected"

  - id: process_logs
    type: io.kestra.plugin.core.log.Log
    message: "{{ trigger.logs }}"

triggers:
  - id: watch_security_logs
    type: io.kestra.plugin.grafana.loki.Trigger
    url: http://loki.example.com:3100
    authToken: "{{ secret('LOKI_TOKEN') }}"
    tenantId: production
    query: '{job="security", level="critical"} |= "unauthorized access"'
    interval: PT1M
    maxRecords: 100

Trigger on error patterns with authentication

yaml
id: error_monitor
namespace: monitoring

tasks:
  - id: send_alert
    type: io.kestra.plugin.notifications.slack.SlackIncomingWebhook
    url: "{{ secret('SLACK_WEBHOOK') }}"
    payload: |
      {
        "text": "🚨 {{ trigger.count }} errors detected",
        "blocks": [
          {
            "type": "section",
            "text": {
              "type": "mrkdwn",
              "text": "*Query:* {{ trigger.query }}"
            }
          }
        ]
      }

triggers:
  - id: monitor_errors
    type: io.kestra.plugin.grafana.loki.Trigger
    url: https://loki.example.com:3100
    authToken: "{{ secret('LOKI_TOKEN') }}"
    tenantId: team-platform
    query: '{job="api", level="error"} |~ "timeout|connection refused"'
    interval: PT5M
    since: 10m

Trigger on payment failures (SOAR use case)

yaml
id: "trigger"
type: "io.kestra.plugin.grafana.loki.Trigger"
id: payment_failure_handler
namespace: payments

triggers:
  - id: watch_payment_failures
    type: io.kestra.plugin.grafana.loki.Trigger
    url: http://loki:3100
    tenantId: payments-team
    query: '{application="payment-gateway"} |= "payment failed" | json | amount > 1000'
    interval: PT30S
    maxRecords: 50
    since: 5m

tasks:
  - id: investigate
    type: io.kestra.plugin.core.log.Log
    message: "Investigating {{ trigger.count }} high-value payment failures"
Properties

LogQL query to monitor

The LogQL query to execute. When this query returns new results, the flow will be triggered.

Loki base URL

The base URL of your Loki instance (e.g., http://localhost: 3100 or https://logs.example.com)

Authentication token

Bearer token for authentication if Loki is secured

List of conditions in order to limit the flow trigger.

Default 30

Connection timeout

HTTP connection timeout in seconds

Default PT1M
Format duration

Polling interval

How often to check for new logs. Defaults to every 1 minute.

Default 100

Maximum records per trigger

Maximum number of log entries to return per trigger execution. Defaults to 100.

Default 60

Read timeout

HTTP read timeout in seconds

Default 10m

Lookback window

Time window to look back for logs on first run (e.g., '1h', '30m', '1d'). Defaults to 10 minutes.

Custom state key

Custom key for storing trigger state. If not provided, defaults to namespace.flow_id.trigger_id

Default PT24H
Format duration

State TTL

Time to live for the trigger state. After this duration, the state will be cleared. Defaults to 1 day.

SubType string
Possible Values
CREATEDSUBMITTEDRUNNINGPAUSEDRESTARTEDKILLINGSUCCESSWARNINGFAILEDKILLEDCANCELLEDQUEUEDRETRYINGRETRIEDSKIPPEDBREAKPOINTRESUBMITTED

List of execution states after which a trigger should be stopped (a.k.a. disabled).

Grafana Loki Tenant ID

X-Scope-OrgID header value for multi-tenant Loki setups

Number of new log entries

Total count of logs that matched the query since last check

Latest timestamp

Timestamp of the most recent log entry (in nanoseconds)

SubType object

List of new log entries that triggered the flow

Each entry contains timestamp, labels, and log line or metric value

Query executed

The LogQL query that was executed

Result type

Type of result returned by Loki (streams, matrix, or vector)

Format partial-time

SLA daily deadline

Use it only for DAILY_TIME_DEADLINE SLA.

Format partial-time

SLA daily end time

Use it only for DAILY_TIME_WINDOW SLA.

Format partial-time

SLA daily start time

Use it only for DAILY_TIME_WINDOW SLA.

Default DURATION_WINDOW
Possible Values
DAILY_TIME_DEADLINEDAILY_TIME_WINDOWDURATION_WINDOWSLIDING_WINDOW

The type of the SLA

The default SLA is a sliding window (DURATION_WINDOW) with a window of 24 hours.

Format duration

The duration of the window

Use it only for DURATION_WINDOW or SLIDING_WINDOW SLA. See ISO_8601 Durations for more information of available duration value. The start of the window is always based on midnight except if you set windowAdvance parameter. Eg if you have a 10 minutes (PT10M) window, the first window will be 00: 00 to 00: 10 and a new window will be started each 10 minutes

Format duration

The window advance duration

Use it only for DURATION_WINDOW SLA. Allow to specify the start time of the window Eg: you want a window of 6 hours (window=PT6H), by default the check will be done between: 00: 00 and 06: 00, 06: 00 and 12: 00, 12: 00 and 18: 00, and 18: 00 and 00: 00. If you want to check the window between 03: 00 and 09: 00, 09: 00 and 15: 00, 15: 00 and 21: 00, and 21: 00 and 3: 00, you will have to shift the window of 3 hours by settings windowAdvance: PT3H

The flow id.

The namespace of the flow.

The namespace of the flow or the prefix if prefix is true.

Default false

If we must look at the flow namespace by prefix (checked using startsWith). The prefix is case sensitive.

The flow id.

The namespace of the flow.

Format time

The time to test must be after this one.

Must be a valid ISO 8601 time with offset.

Format time

The time to test must be before this one.

Must be a valid ISO 8601 time with offset.

Default {{ trigger.date }}

The time to test.

Can be any variable or any valid ISO 8601 time. By default, it will use the trigger date.

List of labels to match in the execution.

Default {{ trigger.date }}

The date to test.

Can be any variable or any valid ISO 8601 datetime. By default, it will use the trigger date.

Min items 1

The list of conditions to validate.

If any condition is true, it will allow the event's execution.

String against which to match the execution namespace depending on the provided comparison.

Possible Values
EQUALSPREFIXSUFFIX

Comparison to use when checking if namespace matches. If not provided, it will use EQUALS by default.

Default false

Whether to look at the flow namespace by prefix. Shortcut for comparison: PREFIX.

Only used when comparison is not set

SubType

The list of preconditions to wait for

The key must be unique for a trigger because it will be used to store the previous evaluation result.

Validation RegExp ^[a-zA-Z0-9][a-zA-Z0-9_-]*
Min length 1

A unique id for the condition

Default true

Whether to reset the evaluation results of SLA conditions after a first successful evaluation within the given time period.

By default, after a successful evaluation of the set of SLA conditions, the evaluation result is reset, so, the same set of conditions needs to be successfully evaluated again in the same time period to trigger a new execution. This means that to create multiple executions, the same set of conditions needs to be evaluated to true multiple times. You can disable this by setting this property to false so that, within the same period, each time one of the conditions is satisfied again after a successful evaluation, it will trigger a new execution.

Default { "type": "DURATION_WINDOW" }

Define the time period (or window) for evaluating preconditions.

You can set the type of sla to one of the following values:

  1. DURATION_WINDOW: this is the default type. It uses a start time (windowAdvance) and end time (window) that are moving forward to the next interval whenever the evaluation time reaches the end time, based on the defined duration window. For example, with a 1-day window (the default option: window: PT1D), the SLA conditions are always evaluated during 24h starting at midnight (i.e. at time 00: 00: 00) each day. If you set windowAdvance: PT6H, the window will start at 6 AM each day. If you set windowAdvance: PT6H and you also override the window property to PT6H, the window will start at 6 AM and last for 6 hours — as a result, Kestra will check the SLA conditions during the following time periods: 06: 00 to 12: 00, 12: 00 to 18: 00, 18: 00 to 00: 00, and 00: 00 to 06: 00, and so on.
  2. SLIDING_WINDOW: this option also evaluates SLA conditions over a fixed time window, but it always goes backward from the current time. For example, a sliding window of 1 hour (window: PT1H) will evaluate executions for the past hour (so between now and one hour before now). It uses a default window of 1 day.
  3. DAILY_TIME_DEADLINE: this option declares that some SLA conditions should be met "before a specific time in a day". With the string property deadline, you can configure a daily cutoff for checking conditions. For example, deadline: "09: 00: 00" means that the defined SLA conditions should be met from midnight until 9 AM each day; otherwise, the flow will not be triggered.
  4. DAILY_TIME_WINDOW: this option declares that some SLA conditions should be met "within a given time range in a day". For example, a window from startTime: "06: 00: 00" to endTime: "09: 00: 00" evaluates executions within that interval each day. This option is particularly useful for declarative definition of freshness conditions when building data pipelines. For example, if you only need one successful execution within a given time range to guarantee that some data has been successfully refreshed in order for you to proceed with the next steps of your pipeline, this option can be more useful than a strict DAG-based approach. Usually, each failure in your flow would block the entire pipeline, whereas with this option, you can proceed with the next steps of the pipeline as soon as the data is successfully refreshed at least once within the given time range.
Min items 1

The list of conditions to exclude.

If any condition is true, it will prevent the event's execution.

Possible Values
FIRSTLASTSECONDTHIRDFOURTH

Are you looking for the first or the last day in the month?

Possible Values
MONDAYTUESDAYWEDNESDAYTHURSDAYFRIDAYSATURDAYSUNDAY

The day of week.

Default {{ trigger.date }}

The date to test.

Can be any variable or any valid ISO 8601 datetime. By default, it will use the trigger date.

Possible Values
MONDAYTUESDAYWEDNESDAYTHURSDAYFRIDAYSATURDAYSUNDAY

The day of week.

Default {{ trigger.date }}

The date to test.

Can be any variable or any valid ISO 8601 datetime. By default, it will use the trigger date.

SubType string
Possible Values
CREATEDSUBMITTEDRUNNINGPAUSEDRESTARTEDKILLINGSUCCESSWARNINGFAILEDKILLEDCANCELLEDQUEUEDRETRYINGRETRIEDSKIPPEDBREAKPOINTRESUBMITTED

List of states that are authorized.

SubType string
Possible Values
CREATEDSUBMITTEDRUNNINGPAUSEDRESTARTEDKILLINGSUCCESSWARNINGFAILEDKILLEDCANCELLEDQUEUEDRETRYINGRETRIEDSKIPPEDBREAKPOINTRESUBMITTED

List of states that aren't authorized.

Format date-time

The date to test must be after this one.

Must be a valid ISO 8601 datetime with the zone identifier (use 'Z' for the default zone identifier).

Format date-time

The date to test must be before this one.

Must be a valid ISO 8601 datetime with the zone identifier (use 'Z' for the default zone identifier).

Default {{ trigger.date }}

The date to test.

Can be any variable or any valid ISO 8601 datetime. By default, it will use the trigger date.

SubType string
Possible Values
CREATEDSUBMITTEDRUNNINGPAUSEDRESTARTEDKILLINGSUCCESSWARNINGFAILEDKILLEDCANCELLEDQUEUEDRETRYINGRETRIEDSKIPPEDBREAKPOINTRESUBMITTED

List of states that are authorized.

SubType string
Possible Values
CREATEDSUBMITTEDRUNNINGPAUSEDRESTARTEDKILLINGSUCCESSWARNINGFAILEDKILLEDCANCELLEDQUEUEDRETRYINGRETRIEDSKIPPEDBREAKPOINTRESUBMITTED

List of states that aren't authorized.

ISO 3166-1 alpha-2 country code. If not set, it uses the country code from the default locale.

It uses the Jollyday library for public holiday calendar that supports more than 70 countries.

Default {{ trigger.date}}

The date to test.

Can be any variable or any valid ISO 8601 datetime. By default, it will use the trigger date.

ISO 3166-2 country subdivision (e.g., provinces and states) code.

It uses the Jollyday library for public holiday calendar that supports more than 70 countries.