Example Queries

Let's look into different log entities, interpret some example queries and inspect them line by line.

Example 1

logscale
status >=400
| method != PATCH
| top(method, limit=3)

We can break this down to:

  • Search for status codes greater or equal to 400:

    logscale
    status >=400

  • Select all events having any HTTP method (GET, POST, etc.) except PATCH

    logscale
    | method != PATCH

  • Select the top three HTTP methods having the highest number of events that match the two conditions above and give the total count for each of the three methods found.

    logscale
    | top(method, limit=3)

Example 2

logscale
#type=humio #kind=metrics name=load-segment-total
| timeChart(#vhost, function=max(m1), limit=30)

We can break this down to:

  • Select all events having field #type equal to humio, #kind equal to metrics and name equal to load-segment-total

logscale
#type=humio #kind=metrics name=load-segment-total

  • Draw a linechart where the X-axis displays the time values grouped into buckets and the Y-axis shows results with one line per #vhost, limiting the results to only the top 30 vhosts that have the maximum values.

logscale
| timeChart(#vhost, function=max(m1), limit=30)

Example 3

logscale
#host=github #parser=json
| repo.name=docker/*
| groupBy(repo.name, function=count())
| sort()

We can break this down to:

  • Narrow the search to events in which the #host equals github, and the #parser used was json

    logscale
    #host=github #parser=json

  • Limit results to events that are taken from the GitHub repositories that start with the name, docker using a filter expression in cases where you're searching a view based on multiple joined repositories.

logscale
repo.name=docker/*

  • Aggregate the filtered results by first grouping by the repository name and then counting the number of events (github and json events only) from each docker repository.

logscale
groupBy(repo.name, function=count())

  • Sort by default field _count — results are sorted numerically, in descending order, so you get the most frequently mentioned repo.names at the top of the list.

logscale
sort()

Example 4

logscale
url=/^\/add_to_cart\/(?<product_id>\d+)/
| match(file="products.csv", column=product_id, field=product_id)
| sum(product_price, as="Total revenue")

Suppose we have a add_to_cart/productid field in our logs and that we have enriched these logs with product_name and product_price fields by importing a file named products.csv.

We can break this down to:

  • Find anything after /add_to_cart in the URL and make that into a product_id that consists of one or more digits

    logscale
    url=/^\/add_to_cart\/(?<product_id>\d+)/

  • Using the product_id, look up the product to get product_name and product_price from the products.csv file

logscale
| match(file="products.csv", column=product_id, field=product_id)

  • Sum all the product_price values and report the result in a field named Total revenue

logscale
| sum(product_price, as="Total revenue")