Skip to content

LogQL Supported Queries

Jump to bottom
Jachen Duschletta edited this page Apr 14, 2023 · 32 revisions

LogQL: Supported Queries

Log Stream Selector

{label_1 = "value1", label2 =~ ".+value[2-3]"}

  • =: exactly equal
  • !=: not equal
  • =~: regex matches
  • !~: regex does not match

NOTE! label !~ ".+" shows nothing instead of all the logs without label. All the compared "fingerprints" are checked against having the searching label.

Line Filter Expression

{label1="1"} |= "ERROR"

  • |=: Log line contains string
  • !=: Log line does not contain string
  • |~: Log line contains a match to the regular expression
  • !~: Log line does not contain a match to the regular expression

Label Filter Expression

String filters

  • =: exactly equal
  • !=: not equal
  • =~: regex matches
  • !~: regex does not match
  • or, and: chain operators
  • Time and duration filters (unsupported)

Parser Expression

{label1="val1"} |json

  • json with parameters
  • json without parameters
  • regexp
  • logfmt
  • pattern
  • unpack

Log Range Aggregations

rate({label1="val1"} [1m])

  • rate(log-range)
  • count_over_time(log-range)
  • bytes_rate(log-range)
  • bytes_over_time(log-range)
  • absent_over_time(log-range)

Aggregation operators

sum(rate({label1="val1"} [1m])) by (label2)

  • sum: Calculate sum over labels
  • min: Select minimum over labels
  • max: Select maximum over labels
  • avg: Calculate the average over labels
  • stddev: Calculate the population standard deviation over labels
  • stdvar: Calculate the population standard variance over labels
  • count: Count number of elements in the vector
  • bottomk: Select smallest k elements by sample value
  • topk: Select largest k elements by sample value

Unwrap Expression.

rate({label1="val1"}|unwrap int_valued_label [1s]) by (another_label)

Supported functions

  • rate(unwrapped-range): calculates per second rate of all values in the specified interval.
  • sum_over_time(unwrapped-range): the sum of all values in the specified interval.
  • avg_over_time(unwrapped-range): the average value of all points in the specified interval.
  • max_over_time(unwrapped-range): the maximum value of all points in the specified interval.
  • min_over_time(unwrapped-range): the minimum value of all points in the specified interval
  • first_over_time(unwrapped-range): the first value of all points in the specified interval
  • last_over_time(unwrapped-range): the last value of all points in the specified interval
  • Aggregation operators over unwrapped expressions are supported.

NOTES:

  • In Grafana queries, use $__interval for unwrap, ie: unwrap data [$__interval]

Label Format Expression

{label1="val1"} | label_format label2=label1

  • label replace queries: Replace label name with a custom name
  • label drop queries: Drop labels from log lines

Line Format Expression (handlebars)

  • Filter specific JSON field and only display that:

{label1="val1"} | json | line_format "{{int_valued_label}}"

  • Perform simple arithmetics a / (b + c):

{label1="val1"} | json | line_format "{{ divide a (sum b c) }}"

  • Perform other arithmetic functions

{label1="val1"} | json | line_format "{{int_val}} / 2 = {{ divide int_val 2}}"

Metrics Queries

If you used 'Insert Metrics API' to insert metrics.

Use unwrap_value to unwrap the metric value directly from a metric stream.

  • Average of a metric over 1m periods

avg_over_time({label1="val1"} | unwrap_value [1m])

Clone this wiki locally