Function Syntax
LogScale query functions process event data by producing, reducing, or modifying values within query pipelines, with support for both built-in functions and user-created functions through saved queries. The documentation covers function syntax including composite function calls, user functions with arguments, link functions for creating clickable results, and repeating queries that execute at regular intervals for dashboards and alerts.
LogScale query functions take a set of events, parameters and/or configurations and produce, reduce, and/or modify values within that set or in the events themselves within a query pipeline. LogScale has many built-in query functions- they are listed and described in the Query Functions section.
Composite Function Calls
When a function accepts another function as an argument, special rules
apply. All variations of groupBy(),
bucket() and timeChart() that
take a function as an argument can also use a composite function.
Composite functions take the form { f1(..) |
f2(..) } and work like the composition of
f1 and f2.
An example of this looks something like the following example:
groupBy(type, function={ avgFoo := avg(foo)
| outFoo := round(avgFoo) })Filters can also be used inside such composite function calls, but not saved queries.
Queries can contain Comments. This is useful for long multi-line queries and especially with saved queries, for noting the purpose of each step. The following is an example of a comment embedded in a query:
#type=accesslog // choose the type
| top(url) // count urls and choose the most frequently usedLink Functions
When showing search results in a table, LogScale makes URLs into
clickable links. If the value of a field appears as a link, the UI will
automatically make it clickable. Links can be constructed using the search
language using the format() function like the
following example:
$extractRepo()
| top(repo)
| format("https://example.com/%s", field=repo, as=link)For further clarity, Markdown formatting can be used to give the link a title:
$extractRepo()
| top(repo)
| format("[Link](https://example.com/%s)", field=repo, as=link)Repeating Queries
Some functions have limitations around their use in live queries, such as
join() — see
beta:repeating() and selfJoin().
A repeating query is a static query that is executed at regular intervals and can be used in the same places as live queries, such as in dashboards or alerts.
Live queries are turned into a repeating query by adding the
beta:repeating() function. For example, this query
will be repeated every 10 minutes and can be used in dashboards and
alerts:
selfJoin(field=email_id, where=[{from=peter},{to=anders}])
| beta:repeating(10m)
Using beta:repeating() in a static query is allowed,
but has no effect.
Enabling Repeating Queries
Repeating queries are in beta. In order to use repeating queries, you
must enable them by making the following GraphQL mutation as root from
the API explorer found at
$$YOUR_LOGSCALE_URL/docs/api-explorer:
mutation {
enableFeature(feature: RepeatingQueries)
}
If this feature is disabled later, then any alert, dashboard, or saved
query using beta:repeating() in the query will not
function.