DQL Functions¶
The following is a list of functions supported by DQL. All function names are case-insensitive.
Concepts¶
| Method | Description |
|---|---|
M |
Refers to the Measurement in time series data. |
L |
Log data, classified logically by the field source. |
BL |
Backup log data, classified logically by the field source. |
O |
Object data, classified logically by the field class. |
OH |
Object history data, classified logically by the field class. |
CO |
Resource Catalog data, classified logically by the field class. |
COH |
Resource Catalog history data, classified logically by the field class. |
E |
Event data, classified logically by the field source. |
T |
Tracing data, classified logically by the field service. |
P |
Profile data, classified logically by the field service. |
R |
RUM data, classified logically by the field source |
S |
Security Check data, classified logically by the field category. |
N |
Network eBPF data, classified logically by the field source. |
SHOW Function List¶
show_object_source()¶
- Description: Displays the Measurement collection of
objectdata. This function does not require parameters. - Example:
# Request
show_object_source()
# Return
{
"content": [
{
"series": [
{
"name": "measurements",
"columns": [
"name"
],
"values": [
[
"Servers"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_object_class()¶
- Description: Displays the Measurement collection of object data. This function does not require parameters.
Note: This function will be deprecated. Use show_object_source() instead.
show_object_field()¶
- Description: Displays the
filedslist of the object:
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Object Class Name | Object Type | string |
No | None | HOST |
- Example:
# Request
show_object_field('servers')
# Return
{
"content": [
{
"series": [
{
"name": "fields",
"columns": [
"fieldKey",
"fieldType"
],
"values": [
[
"__class",
"keyword"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_object_label()¶
- Description: Displays the label information contained in the object:
| Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
class |
Object Source Type | string |
Yes | HOST |
|
names |
Object Name List | []string |
No | ['aws', 'aliyun'] |
Note:
- The
namesparameter is optional. If not provided, it displays all labels forclass='source_class'. -
A maximum of 1000 object labels will be displayed.
-
Example:
# Request
show_object_label(class="host_processes", names=["ubuntu20-dev_49392"] )
# Return
{
"content": [
{
"series": [
{
"tags": {
"name": "ubuntu20-dev_49392"
},
"columns": [
"__docid",
"labels",
"key",
"value"
],
"values": [
[
"375370265b0641818a99ed1a61aed8563a25459d",
[
"l1",
"l2"
],
"host",
"ubuntu20-dev"
]
]
}
],
"cost": "1ms",
"raw_query": ""
}
]
}
Object History¶
show_object_history_source()
show_object_history_field()
show_object_history_label()
show_custom_object_history_source()
show_custom_object_history_field()
Logging Data¶
show_logging_source()¶
- Description: Displays the Measurement collection of logging data. This function does not require parameters.
- Example:
show_logging_source(), return structure is the same asshow_object_source()
show_logging_field()¶
-
Description: Displays all fileds list under the specified
source. -
Example:
show_logging_field("nginx"): return structure is the same asshow_object_field(Servers)
Backup Logs¶
show_backup_log_source()
show_backup_log_field()
Event (keyevent) Data¶
show_event_source()¶
- Description: Displays the Measurement collection of Keyevent data. This function does not require parameters.
- Example:
show_event_source(), return structure is the same asshow_object_source()
show_event_field()¶
-
Description: Displays all fields list under the
sourceMeasurement. -
Example:
show_event_field('datafluxTrigger'), return structure is the same asshow_object_field()
APM (tracing) Data¶
show_tracing_source()¶
-
Description: Displays the Measurement collection of tracing data. This function does not require parameters.
-
Example:
show_tracing_source(), return structure is the same asshow_object_source()
show_tracing_service()¶
- Description: Displays the Measurement collection of tracing data. This function does not require parameters.
Note: This function will be deprecated. Use
show_tracing_source()instead.
show_tracing_field()¶
- Description: Displays all fields list under the specified source.
- Example:
show_tracing_field('mysql'), return structure is the same asshow_object_field()
Profile Data¶
show_profiling_source()¶
-
Description: Displays the Measurement collection of tracing data. This function does not require parameters.
-
Example:
show_profiling_source(), return structure is the same asshow_object_source()
show_profiling_field()¶
- Description: Displays all fields list under the specified source.
- Example:
show_profiling_field('mysql'), return structure is the same asshow_object_field()
RUM Data¶
show_rum_source()¶
- Description: Displays the Measurement collection of RUM data. This function does not require parameters.
- Example:
show_rum_source(), return structure is the same asshow_object_source()
show_rum_type()¶
- Description: Displays the Measurement collection of RUM data. This function does not require parameters.
Note: This function will be deprecated. Use
show_rum_source()instead.
show_rum_field()¶
-
Description: Displays all fields list under the
source_valueMeasurement. -
Example:
show_rum_field('js_error'), return structure is the same asshow_object_field()
User Resource Catalog (custom object) Data¶
show_cobject_source()¶
- Description: Displays the Measurement collection of custom object data. This function does not require parameters.
- Example:
# Request
show_custom_object_source()
# Return
{
"content": [
{
"series": [
{
"name": "measurements",
"columns": [
"name"
],
"values": [
[
"Servers"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_custom_object_class()¶
- Description: Displays the Measurement collection of custom object data. This function does not require parameters.
Note: This function will be deprecated. Use
show_custom_object_source()instead.
show_custom_object_field()¶
- Description: Displays all fileds list under the specified source.
- Example
# Request
show_cobject_field('servers')
# Return
{
"content": [
{
"series": [
{
"name": "fields",
"columns": [
"fieldKey",
"fieldType"
],
"values": [
[
"__class",
"keyword"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
Network eBPF (network) Data¶
show_network_source()¶
- Description: Displays the Measurement collection of network data. This function does not require parameters.
- Example:
show_network_source(), return structure is the same asshow_object_source()
show_network_field()¶
- Description: Displays all fileds list under the specified source.
- Example:
show_network_field('nginx'), return structure is the same asshow_object_field()
Time Series (metric) Data¶
show_measurement()¶
- Description: Displays the Measurement collection of time series data.
- Example:
show_measurement(), return structure is the same asshow_object_source()
show_tag_key()¶
- Description: Displays the tag list of the Measurement. You can specify a specific Measurement.
- Example:
# Request
show_tag_key(from=['cpu'])
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"tagKey"
],
"values": [
[
"cpu"
],
[
"host"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_tag_value()¶
-
Description: Returns the tag value list of the specified tag key in the database.
-
Note: keyin supports regular expression filtering, e.g., keyin=re('.*')
-
Example
# Request
show_tag_value(from=['cpu'], keyin=['host'],field=['usage_total'])
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"key",
"value"
],
"values": [
[
"host",
"jydubuntu"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_field_key()¶
- Description: Displays the field key list of the Measurement.
- Example:
show_field_key(from=['cpu']), return structure is the same asshow_object_field()
Workspace Information¶
show_workspaces()¶
- Description: Displays the current workspace and its authorized workspace information.
- Example:
# Request
show_workspaces()
# Return
{
"content": [
{
"series": [
{
"name": "show_workspaces",
"columns": [
"wsuuid",
"token",
"expireAt",
"createAt",
"name"
],
"values": [
[
"wksp_system",
"tokn_bW47smmgQpoZKP5A2xKuj8W2",
"",
"",
"System Workspace#"
],
[
"wksp_1fcd93a0766c11ebad5af2b2c21faf74",
"tkn_1fcd9a08766c11ebad5af2b2c21faf74",
"1641283729",
"1641283729",
"Solution Center"
]
]
}
],
"cost": "",
"is_running": false,
"async_id": ""
}
]
}
Aggregation Function List¶
avg()¶
- Description: Returns the average value of the field. There is only one parameter, and the parameter type is the field name.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | host |
- Applicable: All data types
Note: The field applied by
avg(field)must be of numeric type. If the fieldfieldis of string type (e.g.,'10'), you can use type conversion functions (e.g.,int()/float()) to achieve this, such asavg(int(field)).
- Example
# Request
L::nginx:(avg(connect_total)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"avg_connect_total"
],
"values": [
[
null,
50.16857454347234
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
bottom()¶
- Description: Returns the smallest n field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host |
| n | Number of returns | int | Yes | None | 10 |
Note:
fieldcannot be thetimefield.
-
Applicable: All data types
-
Example
# Request
L::nginx:(bottom(host, 2)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"host"
],
"values": [
[
1609154974839,
"csoslinux"
],
[
1609154959048,
"csoslinux"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
top()¶
- Description: Returns the largest n field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host |
| n | Number of returns | int | Yes | None | 10 |
Note:
fieldcannot be thetimefield.
- Applicable: All
- Example:
L::nginx:(top(host, 2)) {__errorCode='200'}, return structure is the same asbottom()
count()¶
- Description: Returns the sum of non-null field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name/Function Call | Numeric | Yes | None | host |
Note: field can be a function call, such as
count(distinct(field)), but this feature is only applicable toMdata type.
- Applicable: All
- Example
# Request
L::nginx:(count(host)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"count_host"
],
"values": [
[
null,
36712
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
count_distinct()¶
- Description: Counts the number of distinct values in a field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | ip |
- Applicable: All
- Example
# Request
L::nginx:(count_distinct(host)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"count_distinct(host)"
],
"values": [
[
null,
3
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
derivative()¶
- Description: Returns the rate of change between two adjacent points in the field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
Note:
fieldmust be of numeric type.
- Applicable:
M - Example
# Request
M::cpu:(derivative(usage_idle)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"derivative"
],
"values": [
[
1608612970000,
-0.06040241121018255
],
[
1608612980000,
0.020079912763694096
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
difference()¶
- Description: Difference.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
- Applicable:
M - Example
# Request
M::cpu:(difference(usage_idle)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"difference"
],
"values": [
[
1608612970000,
-0.6040241121018255
],
[
1608612980000,
0.20079912763694097
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
distinct()¶
- Description: Returns a list of distinct values for
field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
- Applicable: All
- Example
# Request
R::js_error:(distinct(error_message))
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"distinct_error_message"
],
"values": [
[
null,
"sdfs is not defined"
],
[
null,
"xxxxxxx console error:"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
distinct_by_collapse()¶
- Description: Returns a list of distinct values for
field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
⚠️ The function can also add named parameters fields, specifying the list of fields to return.
For example:
-
Applicable: All except
M -
Note: distinct_by_collapse returns a list of field values.
-
Example
# Request
R::js_error:(distinct_by_collapse(error_message) as d1)
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"d1"
],
"values": [
[
null,
"sdfs is not defined"
],
[
null,
"xxxxxxx console error:"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
count_filter()¶
- Description: Conditional filter aggregation, counting.
- Reference: Elasticsearch filter aggs
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | service |
| fieldValues | Filter Range | List | Yes | None | [['browser', 'df_rum_ios']] |
- Applicable: All except
M - Example
# Request
L::`*`:(count_filter(service,['browser', 'df_rum_ios']) as c1 ) by status
# Return
{
"content": [
{
"series": [
{
"tags": {
"status": "error"
},
"columns": [
"time",
"c1"
],
"values": [
[
null,
3947
]
]
}
],
"cost": "319ms",
"raw_query": "",
"total_hits": 6432,
"group_by": [
"status"
]
}
]
}
first()¶
- Description: Returns the earliest value by timestamp.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note
fieldcannot be thetimefield, i.e.,first(time)is meaningless.
- Applicable: All
- Example
# Request
L::nginx:(first(host)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"host"
],
"values": [
[
1609837113498,
"wangjiaoshou"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
float()¶
- Description: Type conversion function, converts string type data to float numeric.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note: This function can only be applied within
sum/max/min/avgas a nested inner function (e.g.,sum(float(usage))), andfloat(fieldName)is currently not supported.
- Applicable: All except
M
int()¶
- Description: Type conversion function, converts string type data to int numeric.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note: This function can only be applied within
sum/max/min/avgas a nested inner function (e.g.,sum(int(usage))), andint(usage)is currently not supported.
- Applicable: All except
M
histogram()¶
- Description: Histogram range aggregation.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Numeric | Field Name | Yes | None | usage |
| start-value | x-axis minimum boundary | Numeric Type | Yes | None | 300 |
| end-value | x-axis maximum boundary | Numeric Type | Yes | None | 600 |
| interval | Interval range | Numeric Type | Yes | None | 100 |
| min-doc | Values below this will not be returned | Numeric Type | No | None | 10 |
-
Applicable: All except
M -
Example
# Request
E::`monitor`:(histogram(date_range, 300, 6060, 100, 1))
# Return
{
"content": [
{
"series": [
{
"name": "monitor",
"columns": [
"time", # The field name is time, but it actually represents the y-axis value
"histogram(date_range, 300, 6060, 100, 1)"
],
"values": [
[
300,
11183
],
[
600,
93
]
]
}
],
"cost": "",
"raw_query": "",
"total_hits": 10000,
"group_by": null
}
]
}
last()¶
- Description: Returns the most recent value by timestamp.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note:
fieldcannot be thetimefield.
-
Applicable: All
-
Example:
L::nginx:(last(host)) {__errorCode='200'}, return structure is the same asfirst()
log()¶
- Description: Calculates the logarithm.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
- Applicable:
M - Example
# Request
M::cpu:(log(usage_idle, 10)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"log"
],
"values": [
[
1608612960000,
1.9982417203437028
],
[
1608612970000,
1.995599815632755
]
]
}
],
"cost": " ",
"raw_query": ""
}
]
}
max()¶
- Description: Returns the largest field value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
-
Applicable: All
-
Example
# Request
L::nginx:(max(connect_total)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"max_connect_total"
],
"values": [
[
null,
99
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
median()¶
- Description: Returns the median of the sorted field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(median(`usage_idle`)) by host slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"median(usage_idle)"
],
"values": [
[
1642052700000,
99.89989992072866
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
min()¶
- Description: Returns the smallest field value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable: All
- Example:
L::nginx:(min(connect_total)) {__errorCode='200'}, return structure is the same asmax()
mode()¶
- Description: Returns the most frequently occurring value in the field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(mode(`usage_idle`)) by host slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"mode(usage_idle)"
],
"values": [
[
1642052700000,
99.89989992072866
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
moving_average()¶
- Description: Moving average.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable:
M - Example
# Request
M::cpu:(moving_average(usage_idle, 2)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"moving_average"
],
"values": [
[
1608612970000,
99.29394753991822
],
[
1608612980000,
99.09233504768578
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
non_negative_derivative()¶
- Description: Non-negative rate of change of data.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable:
M - Example
# Request
M::cpu:(non_negative_derivative(usage_idle)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"non_negative_derivative"
],
"values": [
[
1608612980000,
0.020079912763694096
],
[
1608613000000,
0.010417976581746303
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
percentile()¶
- Description: Returns the field value at the nth percentile.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
|
| Percentile | Returns the percentile value ([0, 100.0]) | int | Yes | 90 |
- Example
```python
Request¶
M::cpu:(percentile(usage_idle, 5)) limit 2
Return¶
{ "content": [ { "series": [ { "name": "cpu", "columns": [ "time", "percentile" ], "values": [ [ 1609133610000, 97.75280898882501 ] ] } ], "cost": "", "raw_query": ""