DQL Functions¶
The following is a list of functions supported by DQL. All function names are case-insensitive.
Concepts¶
| Function Name | Description |
|---|---|
M |
Refers to the Measurement in time series data. |
L |
Log data, using the field source as the logical classification. |
BL |
Backup log data, using the field source as the logical classification. |
O |
Object data, using the field class as the logical classification. |
OH |
Object history data, using the field class as the logical classification. |
CO |
Resource Catalog data, using the field class as the logical classification. |
COH |
Resource Catalog history data, using the field class as the logical classification. |
E |
Event data, using the field source as the logical classification. |
T |
Tracing data, using the field service as the logical classification. |
P |
Profile data, using the field service as the logical classification. |
R |
RUM data, using the field source as the logical classification |
N |
Network eBPF data, using the field source as the logical classification. |
SHOW Function List¶
show_object_source()¶
- Description: Display the Measurement collection of
objectdata. This function requires no parameters. - Example:
# Request
show_object_source()
# Return
{
"content": [
{
"series": [
{
"name": "measurements",
"columns": [
"name"
],
"values": [
[
"Servers"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_object_class()¶
- Description: Display the Measurement collection of object data. This function requires no parameters.
Note: This function is deprecated. Use show_object_source() instead.
show_object_field()¶
- Description: Display the list of
filedsfor an object:
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Object Class Name | Object Type | string |
No | None | HOST |
- Example:
# Request
show_object_field('servers')
# Return
{
"content": [
{
"series": [
{
"name": "fields",
"columns": [
"fieldKey",
"fieldType"
],
"values": [
[
"__class",
"keyword"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_object_label()¶
- Description: Display the label information contained in an object:
| Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
class |
Object source type | string |
Yes | HOST |
|
names |
List of object names | []string |
No | ['aws', 'aliyun'] |
Note:
- The
namesparameter is optional. If not provided, it displays labels for all objects withclass='source_class'. -
A maximum of 1000 object labels are displayed.
-
Example:
# Request
show_object_label(class="host_processes", names=["ubuntu20-dev_49392"] )
# Return
{
"content": [
{
"series": [
{
"tags": {
"name": "ubuntu20-dev_49392"
},
"columns": [
"__docid",
"labels",
"key",
"value"
],
"values": [
[
"375370265b0641818a99ed1a61aed8563a25459d",
[
"l1",
"l2"
],
"host",
"ubuntu20-dev"
]
]
}
],
"cost": "1ms",
"raw_query": ""
}
]
}
Object History¶
show_object_history_source()
show_object_history_field()
show_object_history_label()
show_custom_object_history_source()
show_custom_object_history_field()
Logging Data¶
show_logging_source()¶
- Description: Display the Measurement collection of log data. This function requires no parameters.
- Example:
show_logging_source(), return structure same asshow_object_source()
show_logging_field()¶
-
Description: Display all fields list under the specified
source. -
Example:
show_logging_field("nginx"): return structure same asshow_object_field(Servers)
Backup Logs¶
show_backup_log_source()
show_backup_log_field()
Keyevent Data¶
show_event_source()¶
- Description: Display the Measurement collection of Keyevent data. This function requires no parameters.
- Example:
show_event_source(), return structure same asshow_object_source()
show_event_field()¶
-
Description: Display all fields list under the
sourceMeasurement. -
Example:
show_event_field('datafluxTrigger'), return structure same asshow_object_field()
APM (Tracing) Data¶
show_tracing_source()¶
-
Description: Display the Measurement collection of tracing data. This function requires no parameters.
-
Example:
show_tracing_source(), return structure same asshow_object_source()
show_tracing_service()¶
- Description: Display the Measurement collection of tracing data. This function requires no parameters.
Note: This function is deprecated. Use
show_tracing_source()instead.
show_tracing_field()¶
- Description: Display all fields list under the specified source.
- Example:
show_tracing_field('mysql'), return structure same asshow_object_field()
Profile Data¶
show_profiling_source()¶
-
Description: Display the Measurement collection of tracing data. This function requires no parameters.
-
Example:
show_profiling_source(), return structure same asshow_object_source()
show_profiling_field()¶
- Description: Display all fields list under the specified source.
- Example:
show_profiling_field('mysql'), return structure same asshow_object_field()
RUM Data¶
show_rum_source()¶
- Description: Display the Measurement collection of RUM data. This function requires no parameters.
- Example:
show_rum_source(), return structure same asshow_object_source()
show_rum_type()¶
- Description: Display the Measurement collection of RUM data. This function requires no parameters.
Note: This function is deprecated. Use
show_rum_source()instead.
show_rum_field()¶
-
Description: Display all fields list under the
source_valueMeasurement. -
Example:
show_rum_field('js_error'), return structure same asshow_object_field()
User Resource Catalog (Custom Object) Data¶
show_cobject_source()¶
- Description: Display the Measurement collection of custom object data. This function requires no parameters.
- Example:
# Request
show_custom_object_source()
# Return
{
"content": [
{
"series": [
{
"name": "measurements",
"columns": [
"name"
],
"values": [
[
"Servers"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_custom_object_class()¶
- Description: Display the Measurement collection of custom object data. This function requires no parameters.
Note: Deprecated. Use
show_custom_object_source()instead.
show_custom_object_field()¶
- Description: Display all fields list under the specified source.
- Example
# Request
show_cobject_field('servers')
# Return
{
"content": [
{
"series": [
{
"name": "fields",
"columns": [
"fieldKey",
"fieldType"
],
"values": [
[
"__class",
"keyword"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
Network eBPF Data¶
show_network_source()¶
- Description: Display the Measurement collection of network data. This function requires no parameters.
- Example:
show_network_source(), return structure same asshow_object_source()
show_network_field()¶
- Description: Display all fields list under the specified source.
- Example:
show_network_field('nginx'), return structure same asshow_object_field()
Time Series (Metric) Data¶
show_measurement()¶
- Description: Display the Measurement collection of time series data.
- Example:
show_measurement(), return structure same asshow_object_source()
show_tag_key()¶
- Description: View the tag list of a Measurement. Can specify a specific Measurement.
- Example:
# Request
show_tag_key(from=['cpu'])
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"tagKey"
],
"values": [
[
"cpu"
],
[
"host"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_tag_value()¶
-
Description: Returns the list of tag values for a specified tag key in the database.
-
Note: keyin supports regular expression filtering, e.g.: keyin=re('.*')
-
Example
# Request
show_tag_value(from=['cpu'], keyin=['host'],field=['usage_total'])
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"key",
"value"
],
"values": [
[
"host",
"jydubuntu"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_field_key()¶
- Description: View the field key list of a Measurement.
- Example:
show_field_key(from=['cpu']), return structure same asshow_object_field()
Workspace Information¶
show_workspaces()¶
- Description: View current workspace and its authorized workspace information.
- Example:
# Request
show_workspaces()
# Return
{
"content": [
{
"series": [
{
"name": "show_workspaces",
"columns": [
"wsuuuid",
"token",
"expireAt",
"createAt",
"name"
],
"values": [
[
"wksp_system",
"tokn_bW47smmgQpoZKP5A2xKuj8W2",
"",
"",
"System Workspace#"
],
[
"wksp_1fcd93a0766c11ebad5af2b2c21faf74",
"tkn_1fcd9a08766c11ebad5af2b2c21faf74",
"1641283729",
"1641283729",
"Solution Center"
]
]
}
],
"cost": "",
"is_running": false,
"async_id": ""
}
]
}
Aggregation Function List¶
avg()¶
- Description: Returns the average value of a field. Has exactly one parameter, which is a field name.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | host |
- Applicable: All data types
Note: The field
fieldapplied byavg(field)must be numeric. If the fieldfieldis of string type (e.g.,'10'), you can use type conversion functions (e.g.,int()/float()) to achieve this, e.g.,avg(int(field))
- Example
# Request
L::nginx:(avg(connect_total)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"avg_connect_total"
],
"values": [
[
null,
50.16857454347234
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
bottom()¶
- Description: Returns the smallest n field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host |
| n | Number to return | int | Yes | None | 10 |
Note:
fieldcannot be thetimefield.
-
Applicable: All data types
-
Example
# Request
L::nginx:(bottom(host, 2)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"host"
],
"values": [
[
1609154974839,
"csoslinux"
],
[
1609154959048,
"csoslinux"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
top()¶
- Description: Returns the largest n field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host |
| n | Number to return | int | Yes | None | 10 |
Note:
fieldcannot be thetimefield.
- Applicable: All
- Example:
L::nginx:(top(host, 2)) {__errorCode='200'}, return structure same asbottom()
count()¶
- Description: Returns the aggregate value of non-null field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name/Function Call | Numeric | Yes | None | host |
Note: field can be a function call, e.g.,
count(distinct(field)), but this feature is only applicable toMdata type.
- Applicable: All
- Example
# Request
L::nginx:(count(host)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"count_host"
],
"values": [
[
null,
36712
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
count_distinct()¶
- Description: Counts the number of distinct values in a field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | ip |
- Applicable: All
- Example
# Request
L::nginx:(count_distinct(host)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"count_distinct(host)"
],
"values": [
[
null,
3
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
derivative()¶
- Description: Returns the rate of change between two adjacent points of a field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
Note:
fieldmust be numeric.
- Applicable:
M - Example
# Request
M::cpu:(derivative(usage_idle)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"derivative"
],
"values": [
[
1608612970000,
-0.06040241121018255
],
[
1608612980000,
0.020079912763694096
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
difference()¶
- Description: Difference.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
- Applicable:
M - Example
# Request
M::cpu:(difference(usage_idle)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"difference"
],
"values": [
[
1608612970000,
-0.6040241121018255
],
[
1608612980000,
0.20079912763694097
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
distinct()¶
- Description: Returns a list of distinct values for
field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
- Applicable: All
- Example
# Request
R::js_error:(distinct(error_message))
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"distinct_error_message"
],
"values": [
[
null,
"sdfs is not defined"
],
[
null,
"xxxxxxx console error:"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
distinct_by_collapse()¶
- Description: Returns a list of distinct values for
field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
⚠️ The function can also add named parameter fields, specifying the list of fields to return.
For example:
-
Applicable: All except
M -
Note: distinct_by_collapse returns a list of field values.
-
Example
# Request
R::js_error:(distinct_by_collapse(error_message) as d1)
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"d1"
],
"values": [
[
null,
"sdfs is not defined"
],
[
null,
"xxxxxxx console error:"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
count_filter()¶
- Description: Conditional filter aggregation, counting.
- Reference: Elasticsearch filter aggs
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | service |
| fieldValues | Filter Range | List | Yes | None | [['browser', 'df_rum_ios']] |
- Applicable: All except
M - Example
# Request
L::`*`:(count_filter(service,['browser', 'df_rum_ios']) as c1 ) by status
# Return
{
"content": [
{
"series": [
{
"tags": {
"status": "error"
},
"columns": [
"time",
"c1"
],
"values": [
[
null,
3947
]
]
}
],
"cost": "319ms",
"raw_query": "",
"total_hits": 6432,
"group_by": [
"status"
]
}
]
}
first()¶
- Description: Returns the value with the earliest timestamp.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note
fieldcannot be thetimefield, i.e.,first(time)is meaningless.
- Applicable: All
- Example
# Request
L::nginx:(first(host)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"host"
],
"values": [
[
1609837113498,
"wangjiaoshou"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
float()¶
- Description: Type conversion function, converts string type data to float numeric value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note: This function can only be applied within
sum/max/min/avgas a nested inner function (e.g.,sum(float(usage))).float(fieldName)is currently not supported.
- Applicable: All except
M
int()¶
- Description: Type conversion function, converts string type data to int numeric value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note: This function can only be applied within
sum/max/min/avgas a nested inner function (e.g.,sum(int(usage))).int(usage)is currently not supported.
- Applicable: All except
M
histogram()¶
- Description: Deprecated. It is recommended to use histogram_auto().
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Numeric | Field Name | Yes | None | usage |
| start-value | X-axis minimum boundary | Numeric Type | Yes | None | 300 |
| end-value | X-axis maximum boundary | Numeric Type | Yes | None | 600 |
| interval | Interval range | Numeric Type | Yes | None | 100 |
| min-doc | Values below this are not returned | Numeric Type | No | None | 10 |
-
Applicable: All except
M -
Example
# Request
E::`monitor`:(histogram(date_range, 300, 6060, 100, 1))
# Return
{
"content": [
{
"series": [
{
"name": "monitor",
"columns": [
"time", # The field name is time, but it actually represents the y-axis value.
"histogram(date_range, 300, 6060, 100, 1)"
],
"values": [
[
300,
11183
],
[
600,
93
]
]
}
],
"cost": "",
"raw_query": "",
"total_hits": 10000,
"group_by": null
}
]
}
histogram_auto()¶
- Description: Automatic histogram range aggregation. No need to manually specify bucket ranges; automatically selects appropriate bucket ranges to return statistical information about data distribution.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Column Name | Field Name | Yes | None | log_read_lines |
-
Applicable: All except
M -
Example
# Request
L::`kodo-inner`:(histogram_auto(log_read_lines))
# Return
{
"content": {
"series": [
{
"column_names": [
"time",
"lower_bounds",
"upper_bounds",
"counts",
"min",
"p50",
"p75",
"p90",
"p95",
"p99",
"max"
],
"columns": [
"time",
"lower_bounds",
"upper_bounds",
"counts",
"min",
"p50",
"p75",
"p90",
"p95",
"p99",
"max"
],
"values": [
[
1764757698362,
[
201691.45547304396,
205352.50264572573,
209080.00412788318,
212875.16617964883,
216739.21695685355,
220673.40690847093,
224679.00918127657,
228757.320031852,
232909.65924606723,
237137.37056617843,
241441.82212567702
],
[
205352.50264572573,
209080.00412788318,
212875.16617964883,
216739.21695685355,
220673.40690847093,
224679.00918127657,
228757.320031852,
232909.65924606723,
237137.37056617843,
241441.82212567702,
245824.40689203312
],
[
953,
3728,
3795,
3863,
3934,
4006,
4078,
4152,
4228,
4304,
2160
],
201691.45547304396,
223995.49789704292,
233795.03068273573,
239672.17434179393,
241844.21244684662,
245023.16181074618,
245824.40689203312
]
]
}
]
}
}
histogram_quantile()¶
- Description: Prometheus histogram percentile statistics. Similar to histogram_quantile in PromQL, it usually requires manually specifying Rollup logic.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Column Name | Field Name | Yes | None | log_read_lines |
| quantile | Quantile, range [0, 1] | Float | Yes | None | 0.9 |
- Applicable: Only for metric type
M
We handle the logic of sum by le inside the histogram_quantile aggregation function, so the semantics of the following two queries are equivalent:
- DQL: M::service:(histogram_quantile(request_length_bucket, 0.9)) [rate]
-
PromQL: histogram_quantile(0.9, sum(rate(service:request_length_bucket)) by (le))
-
Query Result:
{
"content": [
{
"series": [
{
"name": "service",
"columns": [
"time",
"histogram_quantile(request_length_bucket, 0.9)"
],
"values": [
[
1764757698362,
11304
]
]
}
]
}
]
}
last()¶
- Description: Returns the value with the most recent timestamp.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note:
fieldcannot be thetimefield.
-
Applicable: All
-
Example:
L::nginx:(last(host)) {__errorCode='200'}, return structure same asfirst()
log()¶
- Description: Calculates logarithm.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
- Applicable:
M - Example
# Request
M::cpu:(log(usage_idle, 10)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"log"
],
"values": [
[
1608612960000,
1.9982417203437028
],
[
1608612970000,
1.995599815632755
]
]
}
],
"cost": " ",
"raw_query": ""
}
]
}
max()¶
- Description: Returns the largest field value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
-
Applicable: All
-
Example
# Request
L::nginx:(max(connect_total)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"max_connect_total"
],
"values": [
[
null,
99
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
median()¶
- Description: Returns the median of the sorted field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(median(`usage_idle`)) by host slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"median(usage_idle)"
],
"values": [
[
1642052700000,
99.89989992072866
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
min()¶
- Description: Returns the smallest field value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable: All
- Example:
L::nginx:(min(connect_total)) {__errorCode='200'}, return structure same asmax()
mode()¶
- Description: Returns the most frequently occurring value in a field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(mode(`usage_idle`)) by host slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"mode(usage_idle)"
],
"values": [
[
1642052700000,
99.89989992072866
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
moving_average()¶
- Description: Moving average.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable:
M - Example
# Request
M::cpu:(moving_average(usage_idle, 2)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"moving_average"
],
"values": [
[
1608612970000,
99.29394753991822
],
[
1608612980000,
99.09233504768578
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
non_negative_derivative()¶
- Description: Non-negative rate of change of the data.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable:
M - Example
# Request
M::cpu:(non_negative_derivative(usage_idle)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"non_negative_derivative"
],
"values": [
[
1608612980000,
0.020079912763694096
],
[
1608613000000,
0.010417976581746303
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
percentile()¶
- Description: Returns the field value at the larger nth percentile.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
|
| Percentile | Returns the percentile value ([0, 100.0]) | int | Yes | 90 |
- Example
# Request
M::cpu:(percentile(usage_idle, 5)) limit 2
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"percentile"
],
"values": [
[
1609133610000,
97.75280898882501
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
round()¶
- Description: Rounds a floating-point number.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(round(`usage_idle`)) by host limit 2 slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": [
"host": "10-23-190-37"
],
"columns": [
"time",
"round(usage_idle)"
],
"values": [
[
1642052708975,
100
],
[
1642052718974,
100
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
spread()¶
- Description: Returns the difference between the maximum and minimum values in a field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(spread(`usage_idle`)) by host slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": [
"host": "10-23-190-37"
],
"columns": [
"time",
"spread(usage_idle)"
],
"values": [
[
1642052700000,
1.0999999940395355
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
stddev()¶
- Description: Returns the standard deviation of a field.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M - Example:
# Request
M::`cpu`:(stddev(`usage_idle`)) by host slimit 1
# Return
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": [
"host": "10-23-190-37"
],
"columns": [
"time",
"stddev(usage_idle)"
],
"values": [
[
1642052700000,
0.20738583871093008
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
sum()¶
- Description: Returns the sum of field values.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
-
Applicable: All
-
Example
# Request
L::nginx:(sum(connect_total)) {__errorCode='200'}
# Return
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"sum_connect_total"
],
"values": [
[
null,
1844867
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
rate_over_sum()¶
- Description: Sums the field within the aggregation window, then divides by the window length (seconds), used to calculate the average rate. Result is a floating-point type.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_total |
- Example
# Request
L::service:(rate_over_sum(usage_total)) [5m]
# Return
{
"content": [
{
"series": [
{
"name": "service",
"columns": [
"time",
"sum(usage_total) / 300"
],
"values": [
[
1642052700000,
12.43
]
]
}
]
}
]
}
rate_over_count()¶
- Description: Counts the number of non-null values of a field within the aggregation window, and divides by the window length (seconds), used to calculate event frequency. Result is a floating-point type.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Any | Yes | * |
- Example
# Request
L::service:(rate_over_count(*)) [5m]
# Return
{
"content": [
{
"series": [
{
"name": "service",
"columns": [
"time",
"count(*) / 300"
],
"values": [
[
1642052700000,
5.6
]
]
}
]
}
]
}
Filter Functions¶
Filter functions are generally used in query condition judgments (i.e., common WHERE clauses).
cidr()¶
- Description: Used to match IPs based on network segments. Returns a boolean value.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host_ip |
| pattern | Supports IPv4, IPv6 network segments | string | Yes | None | "10.128.0.0/9" or "2001:db8:8000::/33" |
- Applicable: All
-
Example:
L::nginx:(count(*)) { cidr(host_ip, "203.0.113.10/31") }¶
exists()¶
- Description: In a document, the specified field must exist.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable: All except
M - Example
# Request
rum::js_error:(sdk_name, error_message) { sdk_name=exists() } limit 1
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"sdk_name",
"error_message"
],
"values": [
[
1609227006093,
"Mini Program SDK",
"sdfs is not defined"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
match()¶
- Description: Full-text search (fuzzy search).
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Field Value | Query field value | void |
Yes | host1 |
-
Applicable: All
-
Example:
# Request
rum::js_error:(sdk_name, error_message) { error_message=match('not defined') } limit 1
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"sdk_name",
"error_message"
],
"values": [
[
1609227006093,
"Mini Program SDK",
"sdfs is not defined"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
re()¶
- Description: Filter query via regular expression.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Field Value | Query field value | void |
Yes | host1 |
- Applicable: All
Note: Regular expression queries are very low performance and are not recommended.
Note: The regular expression syntax for time series metric (
M) data refers to here. The regular expression syntax for non-time series metric data refers to here
- Example:
# Request
rum::js_error:(sdk_name, error_message) { error_message=re('.*not defined.*') } limit 1
# Return
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"sdk_name",
"error_message"
],
"values": [
[
1609227006093,
"Mini Program SDK",
"sdfs is not defined"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
regexp_extract()¶
- Description: Extracts the substring from the target string that matches the regular expression according to the regular expression, then returns the first substring matching the target capture group.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Field Name | Query field | string |
Yes | message |
|
| Regular Expression | Regular expression containing capture groups | string |
Yes | error (\\\\S+) |
|
| Return Group | The nth group to return | int |
No | 0 (represents matching the entire regular expression) | 1 (represents matching the first group in the regular expression, and so on...) |
-
Applicable: All except
M -
Example:
# Request
L::`*`:(regexp_extract(message,'error (\\\\S+)', 1) as m1, count(`*`) as c1) {index='default'} by m1
# Return
{
"content": [
{
"series": [
{
"tags": {
"m1": "retrieving1"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
7852
]
]
},
{
"tags": {
"m1": "retrieving2"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
4
]
]
},
{
"tags": [
"m1": "retrieving3"
],
"columns": [
"time",
"m1"
],
"values": [
[
null,
1
]
]
}
],
"points": null,
"cost": "968ms",
"raw_query": "",
"total_hits": 10000
}
]
}
regexp_extract_all()¶
- Description: Extracts the substring from the target string that matches the regular expression according to the regular expression, and returns a collection of substrings matching the target capture group.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Field Name | Query field | string |
Yes | message |
|
| Regular Expression | Regular expression containing capture groups | string |
Yes | error (\\\\S+) (\\\\S+) |
|
| Return Group | The nth group to return | int |
No | 0 (represents matching the entire regular expression) | 1 (represents matching the first group in the regular expression, and so on...) |
-
Applicable: All except
M -
Example:
# Request
L::`*`:(regexp_extract_all(message,'error (\\\\S+) (\\\\S+)', 2) as m1, count(`*`) as c1 ) {index='default'} by m1
# Return
{
"content": [
{
"series": [
{
"tags": [
"m1": "[]"
],
"columns": [
"time",
"m1"
],
"values": [
[
null,
168761
]
]
},
{
"tags": [
"m1": "[resource]"
],
"columns": [
"time",
"m1"
],
"values": [
[
null,
7857
]
]
}
],
"points": null,
"cost": "745ms",
"raw_query": "",
"total_hits": 10000
}
]
}
queryString()¶
Note:
queryString()is deprecated. Use the underscore formquery_string()instead, which has equivalent functionality.
query_string()¶
- Description: String query. DQL uses a special syntax parser to parse the input string and query documents.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Query Condition | Query input string | string |
Yes | info OR warnning |
-
Applicable: All except
M -
Note: Recommended for general search scenarios.
Reference:
query_string()query refers to here
- Example
# Request
L::datakit:(host,message) {message=query_string('/[telegraf|GIN]/ OR /[rum|GIN]/')} limit 1
# Return
{
"content": [
{
"series": [
{
"name": "datakit",
"columns": [
"time",
"host",
"message"
],
"values": [
[
1616412168015,
"aaffb5b0ce0b",
""
]
]
}
],
"cost": "26ms",
"raw_query": "",
"total_hits": 12644,
"group_by": null
}
]
}
Various Usages of query_string()¶
- Ordinary full-text query:
field=query_string('field_value'), has exactly one parameter, representing the query field value, similar to the functionmatch()above. - Query condition logic combination
status=query_string("info OR warnning") - Supported logical operators are as follows (must use uppercase strings):
ANDOR(default)-
Spaces (
) and commas (,) in the string both representANDrelationships. -
Wildcard query
message=query_string("error*"):*matches 0 or more arbitrary characters.message=query_string("error?"):?matches 1 arbitrary character.
wildcard()¶
- Description: Wildcard query. The wildcard character
*matches 0 or more arbitrary characters;?matches 1 arbitrary character.
| Non-named Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
| Query Condition | Query input string | string |
Yes | info* |
- Applicable: All except
M
Note: Wildcard queries have lower performance and consume more resources. DQL queries do not enable left wildcards by default.
Reference: Wildcard query refers to here
- Example
# Request
L::datakit:(host,message) {message=wildcard('write*')} limit 1
# Return
{
"content": [
{
"series": [
{
"name": "datakit",
"columns": [
"time",
"host",
"message"
],
"values": [
[
1616412168015,
"aaffb5b0ce0b",
""
]
]
}
],
"cost": "26ms",
"raw_query": "",
"total_hits": 12644,
"group_by": null
}
]
}
with_labels()¶
- Description: Query object information through object labels.
| Parameter | Description | Type | Required | Default | Example |
|---|---|---|---|---|---|
object_class |
Object source type | string |
Yes | HOST |
|
labels |
Object label list | []string |
Yes | ['aws', 'aliyun'] |
|
object_name |
Object name | string |
No | ubuntu20-dev |
|
key |
The field name returned based on the label query. | string |
No | name |
name |
max |
The maximum number of objects returned by the label query. Currently supports a maximum value of 1000. |
int |
No | 1000 |
10 |
- Usage
- Query objects by label:
object::HOST:() {name=with_labels(object_class='HOST', labels=['aws'])} -
Query objects by label, then associate with time series metrics:
M::cpu(user_total){host=with_labels(object_class="HOST", labels=["aws"], key="name", max=10) } -
Applicable:
O/CO
Note - The maximum number of objects obtained through labels is 1000. To obtain more objects, you can narrow the query time range or add more query conditions. - The
labelsparameter is a list of strings. The relationship between multiplelabels is logical AND (i.e.,labels=['l1', 'l2']means querying objects containing labels'l1' AND 'l2').
- Example
# Request
object::docker_containers:() {name=with_labels(object_class='docker_containers', labels=['klgalga'])}
# Return
{
"content": [
{
"series": [
{
"name": "docker_containers",
"columns": [
"block_write_byte",
"class",
"pod_name",
"__docid",
"image_short_name",
"image_tag",
"state",
"cpu_system_delta",
"name",
"image_name",
"cpu_usage",
"create_time",
"from_kubernetes",
"host",
"mem_failed_count",
"block_read_byte",
"cpu_numbers",
"mem_limit",
"network_bytes_rcvd",
"process",
"container_name",
"container_type",
"mem_used_percent",
"network_bytes_sent",
"container_id",
"time",
"cpu_delta",
"docker_image",
"mem_usage",
"message",
"pod_namespace",
"status",
"age",
"df_label"
],
"values": [
[
0,
"docker_containers",
"coredns-66db54ff7f-lgw48",
"O_10f9f174f98ff1b8a6543819aeeab811",
"sha256",
"67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",
"running",
4980000000,
"16fa0160ca432c11b74b784f13d2a92005ddd0d97b3bb9a2dadf34156e0d0986",
"sha256",
0.115964,
1626862244282,
true,
"izbp152ke14timzud0du15z",
0,
7496810496,
4,
178257920,
0,
"[{\"C\":\"0\",\"CMD\":\"/coredns -conf /etc/coredns/Corefile\",\"PID\":\"23543\",\"PPID\":\"23510\",\"STIME\":\"Jun16\",\"TIME\":\"01:55:30\",\"TTY\":\"?\",\"UID\":\"root\"}]",
"k8s_coredns_coredns-66db54ff7f-lgw48_kube-system_6342828e-cc7d-4ef5-95b9-9503ee860da1_0",
"kubernetes",
7.295496,
0,
"16fa0160ca432c11b74b784f13d2a92005ddd0d97b3bb9a2dadf34156e0d0986",
1627438611536,
1443756,
"sha256:67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",
13004800,
"{}",
"kube-system",
"Up 5 weeks",
3603246,
[
"klgjg",
"klgalga",
"gaga"
]
]
]
}
],
"cost": "2ms",
"raw_query": "",
"total_hits": 1
}
]
}
SLS promql Functions¶
The following is a comparison of function support between InfluxDB and SLS promql:
| func | influxdb | SLS promql | Remarks |
|---|---|---|---|
| avg | mean | avg | |
| count | count | count | |
| derivative(Calculates the unit rate of change for a column value in the statistical table) | derivative | rate | sls does not support by, but other aggregation functions can be added by |
| median | median | quantile | |
| match | re | like | |
| bottom (Statistics the smallest k non-NULL values of a column) | bottom | bottomk | |
| top(Statistics the largest k non-NULL values of a column.) | top | topk | |
| max | max | max | |
| min | min | min | |
| percentile(Calculates the percentile of a column value in the statistical table) | percentile | quantile | |
| round | round | round | Does not support group by |
| stddev | stddev | stddev | |
| sum | sum | sum | |
| log | log | ln | |
| p50(Percentile) | percentile | quantile | |
| p75(Percentile) | percentile | quantile | |
| p90(Percentile) | percentile | quantile | |
| p99(Percentile) | percentile | quantile | |
| count_distinct | count(distinct()) | None | |
| difference(Calculates the difference between a column value and the corresponding value in the previous row in the statistical table) | difference | None | |
| distinct | distinct | None | |
| non_negative_derivative(Calculates the unit rate of change for a column value in the statistical table, only positive values) | non_negative_derivative | None | |
| first(The first piece of data in the table) | first | None | |
| last(The latest piece of data in the table) | last | None | |
| spread(Calculates the difference between the maximum and minimum values of a column in a table/supertable) | spread | None | |
| mode(Mode) | mode | None | |
| moving_average(Calculates the moving average of k consecutive values) | moving_average | None |