DQL Functions¶
The following is a list of functions supported by DQL. All function names are case-insensitive.
Concepts¶
| Function Name | Description |
|---|---|
M |
Refers to the Measurement in time series data. |
L |
Log data, with the field source as the logical classification. |
BL |
Backup log data, with the field source as the logical classification. |
O |
Object data, with the field class as the logical classification. |
OH |
Object history data, with the field class as the logical classification. |
CO |
Resource Catalog data, with the field class as the logical classification. |
COH |
Resource Catalog history data, with the field class as the logical classification. |
E |
Event data, with the field source as the logical classification. |
T |
Tracing data, with the field service as the logical classification. |
P |
Profile data, with the field service as the logical classification. |
R |
RUM data, with the field source as the logical classification |
N |
Network eBPF data, with the field source as the logical classification. |
SHOW Function List¶
show_object_source()¶
- Description: Displays the Measurement set of
objectdata. This function does not require parameters. - Example:
# Request
show_object_source()
# Response
{
"content": [
{
"series": [
{
"name": "measurements",
"columns": [
"name"
],
"values": [
[
"Servers"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_object_class()¶
- Description: Displays the Measurement set of object data. This function does not require parameters.
Note: This function will be deprecated. Use show_object_source() instead.
show_object_field()¶
- Description: Displays the
filedslist of objects:
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Object Classification Name | Object Type | string |
No | None | HOST |
- Example:
# Request
show_object_field('servers')
# Response
{
"content": [
{
"series": [
{
"name": "fields",
"columns": [
"fieldKey",
"fieldType"
],
"values": [
[
"__class",
"keyword"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_object_label()¶
- Description: Displays the label information contained in the object:
| Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
class |
Object source type | string |
Yes | HOST |
|
names |
Object name list | []string |
No | ['aws', 'aliyun'] |
Note:
- The
namesparameter is optional. If not passed, it displays all labels forclass='source_class'. -
A maximum of 1000 object labels can be displayed.
-
Example:
# Request
show_object_label(class="host_processes", names=["ubuntu20-dev_49392"] )
# Response
{
"content": [
{
"series": [
{
"tags": {
"name": "ubuntu20-dev_49392"
},
"columns": [
"__docid",
"labels",
"key",
"value"
],
"values": [
[
"375370265b0641818a99ed1a61aed8563a25459d",
[
"l1",
"l2"
],
"host",
"ubuntu20-dev"
]
]
}
],
"cost": "1ms",
"raw_query": ""
}
]
}
Object History¶
show_object_history_source()
show_object_history_field()
show_object_history_label()
show_custom_object_history_source()
show_custom_object_history_field()
Logging Data¶
show_logging_source()¶
- Description: Displays the Measurement set of log data. This function does not require parameters.
- Example:
show_logging_source(), the response structure is the same asshow_object_source().
show_logging_field()¶
-
Description: Displays all fields under the specified
source. -
Example:
show_logging_field("nginx"): the response structure is the same asshow_object_field(Servers).
Backup Logs¶
show_backup_log_source()
show_backup_log_field()
Keyevent Data¶
show_event_source()¶
- Description: Displays the Measurement set of Keyevent data. This function does not require parameters.
- Example:
show_event_source(), the response structure is the same asshow_object_source().
show_event_field()¶
-
Description: Displays all fields under the
sourceMeasurement. -
Example:
show_event_field('datafluxTrigger'), the response structure is the same asshow_object_field().
APM (Tracing) Data¶
show_tracing_source()¶
-
Description: Displays the Measurement set of tracing data. This function does not require parameters.
-
Example:
show_tracing_source(), the response structure is the same asshow_object_source().
show_tracing_service()¶
- Description: Displays the Measurement set of tracing data. This function does not require parameters.
Note: This function will be deprecated. Use
show_tracing_source()instead.
show_tracing_field()¶
- Description: Displays all fields under the specified source.
- Example:
show_tracing_field('mysql'), the response structure is the same asshow_object_field().
Profile Data¶
show_profiling_source()¶
-
Description: Displays the Measurement set of tracing data. This function does not require parameters.
-
Example:
show_profiling_source(), the response structure is the same asshow_object_source().
show_profiling_field()¶
- Description: Displays all fields under the specified source.
- Example:
show_profiling_field('mysql'), the response structure is the same asshow_object_field()
RUM Data¶
show_rum_source()¶
- Description: Displays the Measurement set of RUM data. This function does not require parameters.
- Example:
show_rum_source(), the response structure is the same asshow_object_source()
show_rum_type()¶
- Description: Displays the Measurement set of RUM data. This function does not require parameters.
Note: This function will be deprecated. Use
show_rum_source()instead.
show_rum_field()¶
-
Description: Displays all fields under the
source_valueMeasurement. -
Example:
show_rum_field('js_error'), the response structure is the same asshow_object_field()
User Resource Catalog (Custom Object) Data¶
show_cobject_source()¶
- Description: Displays the Measurement set of custom object data. This function does not require parameters.
- Example:
# Request
show_custom_object_source()
# Response
{
"content": [
{
"series": [
{
"name": "measurements",
"columns": [
"name"
],
"values": [
[
"Servers"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_custom_object_class()¶
- Description: Displays the Measurement set of custom object data. This function does not require parameters.
Note: This function will be deprecated. Use
show_custom_object_source()instead.
show_custom_object_field()¶
- Description: Displays all fields under the specified source.
- Example
# Request
show_cobject_field('servers')
# Response
{
"content": [
{
"series": [
{
"name": "fields",
"columns": [
"fieldKey",
"fieldType"
],
"values": [
[
"__class",
"keyword"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
Network eBPF Data¶
show_network_source()¶
- Description: Displays the Measurement set of network data. This function does not require parameters.
- Example:
show_network_source(), the response structure is the same asshow_object_source()
show_network_field()¶
- Description: Displays all fields under the specified source.
- Example:
show_network_field('nginx'), the response structure is the same asshow_object_field()
Time Series (Metric) Data¶
show_measurement()¶
- Description: Displays the Measurement set of time series data.
- Example:
show_measurement(), the response structure is the same asshow_object_source()
show_tag_key()¶
- Description: Displays the tag list of the Measurement. You can specify a specific Measurement.
- Example:
# Request
show_tag_key(from=['cpu'])
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"tagKey"
],
"values": [
[
"cpu"
],
[
"host"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_tag_value()¶
-
Description: Returns the tag value list of the specified tag key in the database.
-
Note: keyin supports regular expression filtering, for example: keyin=re('.*')
-
Example
# Request
show_tag_value(from=['cpu'], keyin=['host'],field=['usage_total'])
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"key",
"value"
],
"values": [
[
"host",
"jydubuntu"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
show_field_key()¶
- Description: Displays the field key list of the Measurement.
- Example:
show_field_key(from=['cpu']), the response structure is the same asshow_object_field()
Workspace Information¶
show_workspaces()¶
- Description: Displays the current workspace and its authorized workspace information.
- Example:
# Request
show_workspaces()
# Response
{
"content": [
{
"series": [
{
"name": "show_workspaces",
"columns": [
"wsuuid",
"token",
"expireAt",
"createAt",
"name"
],
"values": [
[
"wksp_system",
"tokn_bW47smmgQpoZKP5A2xKuj8W2",
"",
"",
"System Workspace#"
],
[
"wksp_1fcd93a0766c11ebad5af2b2c21faf74",
"tkn_1fcd9a08766c11ebad5af2b2c21faf74",
"1641283729",
"1641283729",
"Solution Center"
]
]
}
],
"cost": "",
"is_running": false,
"async_id": ""
}
]
}
Aggregation Function List¶
avg()¶
- Description: Returns the average value of the field. There is only one parameter, and the parameter type is the field name.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | host |
- Applicable: All data types
Note: The field applied by
avg(field)must be of numeric type. If the fieldfieldis of string type (e.g.,'10'), you can use type conversion functions (e.g.,int()/float()) to achieve this, such asavg(int(field)).
- Example
# Request
L::nginx:(avg(connect_total)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"avg_connect_total"
],
"values": [
[
null,
50.16857454347234
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
bottom()¶
- Description: Returns the smallest n field values.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host |
| n | Number of Returns | int | Yes | None | 10 |
Note:
fieldcannot be thetimefield.
-
Applicable: All data types.
-
Example
# Request
L::nginx:(bottom(host, 2)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"host"
],
"values": [
[
1609154974839,
"csoslinux"
],
[
1609154959048,
"csoslinux"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
top()¶
- Description: Returns the largest n field values.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | host |
| n | Number of Returns | int | Yes | None | 10 |
Note:
fieldcannot be thetimefield.
- Applicable: All.
- Example:
L::nginx:(top(host, 2)) {__errorCode='200'}, the response structure is the same asbottom().
count()¶
- Description: Returns the sum of non-null field values.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name/Function Call | Numeric | Yes | None | host |
Note: field can be a function call, such as
count(distinct(field)), but this feature is only applicable toMdata type.
- Applicable: All.
- Example
# Request
L::nginx:(count(host)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"count_host"
],
"values": [
[
null,
36712
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
count_distinct()¶
- Description: Counts the number of distinct values in the field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | ip |
- Applicable: All.
- Example
# Request
L::nginx:(count_distinct(host)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"count_distinct(host)"
],
"values": [
[
null,
3
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
derivative()¶
- Description: Returns the rate of change between two adjacent points of the field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
Note:
fieldmust be of numeric type.
- Applicable:
M. - Example
# Request
M::cpu:(derivative(usage_idle)) limit 2
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"derivative"
],
"values": [
[
1608612970000,
-0.06040241121018255
],
[
1608612980000,
0.020079912763694096
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
difference()¶
- Description: Difference.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
- Applicable:
M. - Example
# Request
M::cpu:(difference(usage_idle)) limit 2
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"difference"
],
"values": [
[
1608612970000,
-0.6040241121018255
],
[
1608612980000,
0.20079912763694097
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
distinct()¶
- Description: Returns the list of distinct values of
field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
- Applicable: All.
- Example
# Request
R::js_error:(distinct(error_message))
# Response
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"distinct_error_message"
],
"values": [
[
null,
"sdfs is not defined"
],
[
null,
"xxxxxxx console error:"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
distinct_by_collapse()¶
- Description: Returns the list of distinct values of
field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
⚠️ The function can also add named parameter fields, specifying the list of returned fields.
For example:
-
Applicable: All except
M. -
Note: distinct_by_collapse returns the field values list.
-
Example
# Request
R::js_error:(distinct_by_collapse(error_message) as d1)
# Response
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"d1"
],
"values": [
[
null,
"sdfs is not defined"
],
[
null,
"xxxxxxx console error:"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
count_filter()¶
- Description: Conditional filter aggregation, counting.
- Reference: Elasticsearch filter aggs
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | service |
| fieldValues | Filter Range | List | Yes | None | [['browser', 'df_rum_ios']] |
- Applicable: All except
M. - Example
# Request
L::`*`:(count_filter(service,['browser', 'df_rum_ios']) as c1 ) by status
# Response
{
"content": [
{
"series": [
{
"tags": {
"status": "error"
},
"columns": [
"time",
"c1"
],
"values": [
[
null,
3947
]
]
}
],
"cost": "319ms",
"raw_query": "",
"total_hits": 6432,
"group_by": [
"status"
]
}
]
}
first()¶
- Description: Returns the earliest value by timestamp.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note
fieldcannot be thetimefield, i.e.,first(time)is meaningless.
- Applicable: All.
- Example
# Request
L::nginx:(first(host)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"host"
],
"values": [
[
1609837113498,
"wangjiaoshou"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
float()¶
- Description: Type conversion function, converts string type data to float numeric.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note: This function can only be applied within
sum/max/min/avgas a nested inner function (e.g.,sum(float(usage))).float(fieldName)is currently not supported.
- Applicable: All except
M.
int()¶
- Description: Type conversion function, converts string type data to int numeric.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note: This function can only be applied within
sum/max/min/avgas a nested inner function (e.g.,sum(int(usage))).int(usage)is currently not supported.
- Applicable: All except
M.
histogram_auto()¶
- Description: Histogram aggregation.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Numeric | Field Name | Yes | None | usage |
- Applicable: All.
# Request
T:::(histogram_auto(`duration`)) { `service` = "cart" and `env` = "prod" and `version` = "0.0.1" and `span_type` = "entry" }
# Response
[
{
"time": 1762497622129,
# Indicates that in the values of the field, there are counts[i] values in the interval [lower_bounds[i], upper_bounds[i]).
# For example, in this example, in the values of duration, there is 1 value in the interval [53279.78945865917, 54246.90937011607).
"lower_bounds": "[53279.78945865917,57254.878843586775,820469.6109025453]",
"upper_bounds": "[54246.90937011607,58294.15347136376,835362.5469578733]",
"counts": "[1,1,1]",
"min": 53279.78945865917,
"p50": 57772.17924133015,
"p75": 824167.7662986007,
"p90": 830866.5022017463,
"p95": 833111.4916151571,
"p99": 834911.8498289,
"max": 835362.5469578733
}
]
histogram()¶
- Description: Deprecated, recommend using histogram_auto().
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Numeric | Field Name | Yes | None | usage |
| start-value | Minimum boundary of x-axis | Numeric | Yes | None | 300 |
| end-value | Maximum boundary of x-axis | Numeric | Yes | None | 600 |
| interval | Interval range | Numeric | Yes | None | 100 |
| min-doc | Values below this will not be returned | Numeric | No | None | 10 |
-
Applicable: All except
M. -
Example
# Request
E::`monitor`:(histogram(date_range, 300, 6060, 100, 1))
# Response
{
"content": [
{
"series": [
{
"name": "monitor",
"columns": [
"time", # The field name is time, but it actually represents the y-axis value.
"histogram(date_range, 300, 6060, 100, 1)"
],
"values": [
[
300,
11183
],
[
600,
93
]
]
}
],
"cost": "",
"raw_query": "",
"total_hits": 10000,
"group_by": null
}
]
}
last()¶
- Description: Returns the most recent value by timestamp.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Field Name | Yes | None | usage |
Note:
fieldcannot be thetimefield.
-
Applicable: All.
-
Example:
L::nginx:(last(host)) {__errorCode='200'}, the response structure is the same asfirst().
log()¶
- Description: Calculates the logarithm.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | None | usage |
- Applicable:
M. - Example
# Request
M::cpu:(log(usage_idle, 10)) limit 2
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"log"
],
"values": [
[
1608612960000,
1.9982417203437028
],
[
1608612970000,
1.995599815632755
]
]
}
],
"cost": " ",
"raw_query": ""
}
]
}
max()¶
- Description: Returns the largest field value.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
-
Applicable: All.
-
Example
# Request
L::nginx:(max(connect_total)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"max_connect_total"
],
"values": [
[
null,
99
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
median()¶
- Description: Returns the median of the sorted field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M. - Example:
# Request
M::`cpu`:(median(`usage_idle`)) by host slimit 1
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"median(usage_idle)"
],
"values": [
[
1642052700000,
99.89989992072866
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
min()¶
- Description: Returns the smallest field value.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable: All.
- Example:
L::nginx:(min(connect_total)) {__errorCode='200'}, the response structure is the same asmax()
mode()¶
- Description: Returns the most frequent value in the field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M. - Example:
# Request
M::`cpu`:(mode(`usage_idle`)) by host slimit 1
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"mode(usage_idle)"
],
"values": [
[
1642052700000,
99.89989992072866
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
moving_average()¶
- Description: Moving average.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable:
M - Example
# Request
M::cpu:(moving_average(usage_idle, 2)) limit 2
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"moving_average"
],
"values": [
[
1608612970000,
99.29394753991822
],
[
1608612980000,
99.09233504768578
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
non_negative_derivative()¶
- Description: Non-negative rate of change of the data.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | connect_total |
- Applicable:
M. - Example
# Request
M::cpu:(non_negative_derivative(usage_idle)) limit 2
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"non_negative_derivative"
],
"values": [
[
1608612980000,
0.020079912763694096
],
[
1608613000000,
0.010417976581746303
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
percentile()¶
- Description: Returns the field value at the nth percentile.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
|
| Percentile | Returns the percentile value ([0, 100.0]) | int | Yes | 90 |
- Example
# Request
M::cpu:(percentile(usage_idle, 5)) limit 2
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"columns": [
"time",
"percentile"
],
"values": [
[
1609133610000,
97.75280898882501
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
round()¶
- Description: Rounds the floating-point number.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M. - Example:
# Request
M::`cpu`:(round(`usage_idle`)) by host limit 2 slimit 1
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"round(usage_idle)"
],
"values": [
[
1642052708975,
100
],
[
1642052718974,
100
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
spread()¶
- Description: Returns the difference between the maximum and minimum values in the field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M. - Example:
# Request
M::`cpu`:(spread(`usage_idle`)) by host slimit 1
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"spread(usage_idle)"
],
"values": [
[
1642052700000,
1.0999999940395355
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
stddev()¶
- Description: Returns the standard deviation of the field.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable:
M. - Example:
# Request
M::`cpu`:(stddev(`usage_idle`)) by host slimit 1
# Response
{
"content": [
{
"series": [
{
"name": "cpu",
"tags": {
"host": "10-23-190-37"
},
"columns": [
"time",
"stddev(usage_idle)"
],
"values": [
[
1642052700000,
0.20738583871093008
]
]
}
],
"cost": "69.823688ms",
"raw_query": ""
}
]
}
sum()¶
- Description: Returns the sum of the field values.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
-
Applicable: All.
-
Example
# Request
L::nginx:(sum(connect_total)) {__errorCode='200'}
# Response
{
"content": [
{
"series": [
{
"name": "nginx",
"columns": [
"time",
"sum_connect_total"
],
"values": [
[
null,
1844867
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
rate_over_sum()¶
- Description: First sums the field within the aggregation window, then divides by the window length (seconds), used to calculate the average rate. The result is of floating-point type.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_total |
- Example
# Request
L::service:(rate_over_sum(usage_total)) [5m]
# Response
{
"content": [
{
"series": [
{
"name": "service",
"columns": [
"time",
"sum(usage_total) / 300"
],
"values": [
[
1642052700000,
12.43
]
]
}
]
}
]
}
rate_over_count()¶
- Description: Counts the number of non-null values of the field within the aggregation window, then divides by the window length (seconds), used to calculate the event frequency. The result is of floating-point type.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Any | Yes | * |
- Example
# Request
L::service:(rate_over_count(*)) [5m]
# Response
{
"content": [
{
"series": [
{
"name": "service",
"columns": [
"time",
"count(*) / 300"
],
"values": [
[
1642052700000,
5.6
]
]
}
]
}
]
}
Filter Functions¶
Filter functions are generally used for query condition determination (i.e., common WHERE statements).
exists()¶
- Description: The specified field must exist in the document.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| field | Field Name | Numeric | Yes | usage_idle |
- Applicable: All except
M. - Example
# Request
rum::js_error:(sdk_name, error_message) { sdk_name=exists() } limit 1
# Response
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"sdk_name",
"error_message"
],
"values": [
[
1609227006093,
"Mini Program SDK",
"sdfs is not defined"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
match()¶
- Description: Full-text search (fuzzy search).
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Field Value | Field value to query | void |
Yes | host1 |
-
Applicable: All.
-
Example:
# Request
rum::js_error:(sdk_name, error_message) { error_message=match('not defined') } limit 1
# Response
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"sdk_name",
"error_message"
],
"values": [
[
1609227006093,
"Mini Program SDK",
"sdfs is not defined"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
re()¶
- Description: Filters queries through regular expressions.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Field Value | Field value to query | void |
Yes | host1 |
- Applicable: All.
Note: Regular query performance is very low and is not recommended.
Note: The regular syntax for time series metrics (
M) data refers to here, and the regular syntax for non-time series metrics data refers to here
- Example:
# Request
rum::js_error:(sdk_name, error_message) { error_message=re('.*not defined.*') } limit 1
# Response
{
"content": [
{
"series": [
{
"name": "js_error",
"columns": [
"time",
"sdk_name",
"error_message"
],
"values": [
[
1609227006093,
"Mini Program SDK",
"sdfs is not defined"
]
]
}
],
"cost": "",
"raw_query": ""
}
]
}
regexp_extract()¶
- Description: Extracts the substring from the target string that matches the regular expression, then returns the first substring that matches the target capture group.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Field Name | Field to query | string |
Yes | message |
|
| Regular Expression | Regular expression containing capture groups | string |
Yes | error (\\\\S+) |
|
| Returned Group | The nth group to return | int |
No | 0 (means match the entire regular expression) | 1 (means match the first group in the regular expression, and so on...) |
-
Applicable: All except
M. -
Example:
# Request
L::`*`:(regexp_extract(message,'error (\\\\S+)', 1) as m1, count(`*`) as c1) {index='default'} by m1
# Response
{
"content": [
{
"series": [
{
"tags": {
"m1": "retrieving1"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
7852
]
]
},
{
"tags": {
"m1": "retrieving2"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
4
]
]
},
{
"tags": {
"m1": "retrieving3"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
1
]
]
}
],
"points": null,
"cost": "968ms",
"raw_query": "",
"total_hits": 10000
}
]
}
regexp_extract_all()¶
- Description: Extracts the substring from the target string that matches the regular expression, and returns the collection of substrings that match the target capture group.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Field Name | Field to query | string |
Yes | message |
|
| Regular Expression | Regular expression containing capture groups | string |
Yes | error (\\\\S+) (\\\\S+) |
|
| Returned Group | The nth group to return | int |
No | 0 (means match the entire regular expression) | 1 (means match the first group in the regular expression, and so on...) |
-
Applicable: All except
M. -
Example:
# Request
L::`*`:(regexp_extract_all(message,'error (\\\\S+) (\\\\S+)', 2) as m1, count(`*`) as c1 ) {index='default'} by m1
# Response
{
"content": [
{
"series": [
{
"tags": {
"m1": "[]"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
168761
]
]
},
{
"tags": {
"m1": "[resource]"
},
"columns": [
"time",
"m1"
],
"values": [
[
null,
7857
]
]
}
],
"points": null,
"cost": "745ms",
"raw_query": "",
"total_hits": 10000
}
]
}
queryString()¶
Note:
queryString()will be deprecated, use the underscore formquery_string()instead, with the same functionality.
query_string()¶
- Description: String query. DQL will use a special syntax parser to parse the input string and query documents.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Query Condition | Query input string | string |
Yes | info OR warnning |
-
Applicable: All except
M. -
Note: Recommended for general search scenarios.
Reference:
query_string()query refers to here
- Example
# Request
L::datakit:(host,message) {message=query_string('/[telegraf|GIN]/ OR /[rum|GIN]/')} limit 1
# Response
{
"content": [
{
"series": [
{
"name": "datakit",
"columns": [
"time",
"host",
"message"
],
"values": [
[
1616412168015,
"aaffb5b0ce0b",
""
]
]
}
],
"cost": "26ms",
"raw_query": "",
"total_hits": 12644,
"group_by": null
}
]
}
Various Usages of query_string()¶
- Ordinary full-text query:
field=query_string('field_value'), there is only one parameter, representing the field value to query, similar to the above functionmatch(). - Query condition logical combination
status=query_string("info OR warnning") - Supported logical operators are as follows (need to use uppercase strings):
ANDOR(default)-
Spaces (
) and commas (,) in the string both representANDrelationships. -
Wildcard query
message=query_string("error*"):*means match 0 or more arbitrary characters.message=query_string("error?"):?means match 1 arbitrary character.
wildcard()¶
- Description: Wildcard query. The wildcard character
*means match 0 or more arbitrary characters;?means match 1 arbitrary character.
| Non-named Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
| Query Condition | Query input string | string |
Yes | info* |
- Applicable: All except
M.
Note: Wildcard query performance is low and consumes more resources. DQL query does not enable left wildcard by default.
Reference: Wildcard query refers to here
- Example
# Request
L::datakit:(host,message) {message=wildcard('write*')} limit 1
# Response
{
"content": [
{
"series": [
{
"name": "datakit",
"columns": [
"time",
"host",
"message"
],
"values": [
[
1616412168015,
"aaffb5b0ce0b",
""
]
]
}
],
"cost": "26ms",
"raw_query": "",
"total_hits": 12644,
"group_by": null
}
]
}
with_labels()¶
- Description: Queries object information through object labels.
| Parameter | Description | Type | Required | Default Value | Example |
|---|---|---|---|---|---|
object_class |
Object source type | string |
Yes | HOST |
|
labels |
Object label list | []string |
Yes | ['aws', 'aliyun'] |
|
object_name |
Object name | string |
No | ubuntu20-dev |
|
key |
The field name of the queried object based on labels | string |
No | name |
name |
max |
The maximum number of objects queried based on labels, currently supports a maximum of 1000 |
int |
No | 1000 |
10 |
- Usage
- Query objects through labels:
object::HOST:() {name=with_labels(object_class='HOST', labels=['aws'])} -
Query objects through labels, then associate with time series metrics:
M::cpu(user_total){host=with_labels(object_class="HOST", labels=["aws"], key="name", max=10) } -
Applicable:
O/CO
Note - The maximum number of objects obtained through labels is 1000. If you want to obtain more objects, you can narrow the query time range or add more query conditions. - The
labelsparameter is a string list, and the relationship between multiplelabels is logical AND (AND), i.e.,labels=['l1', 'l2']means query objects containing labels'l1' AND 'l2'.
- Example
# Request
object::docker_containers:() {name=with_labels(object_class='docker_containers', labels=['klgalga'])}
# Response
{
"content": [
{
"series": [
{
"name": "docker_containers",
"columns": [
"block_write_byte",
"class",
"pod_name",
"__docid",
"image_short_name",
"image_tag",
"state",
"cpu_system_delta",
"name",
"image_name",
"cpu_usage",
"create_time",
"from_kubernetes",
"host",
"mem_failed_count",
"block_read_byte",
"cpu_numbers",
"mem_limit",
"network_bytes_rcvd",
"process",
"container_name",
"container_type",
"mem_used_percent",
"network_bytes_sent",
"container_id",
"time",
"cpu_delta",
"docker_image",
"mem_usage",
"message",
"pod_namespace",
"status",
"age",
"df_label"
],
"values": [
[
0,
"docker_containers",
"coredns-66db54ff7f-lgw48",
"O_10f9f174f98ff1b8a6543819aeeab811",
"sha256",
"67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",
"running",
4980000000,
"16fa0160ca432c11b74b784f13d2a92005ddd0d97b3bb9a2dadf34156e0d0986",
"sha256",
0.115964,
1626862244282,
true,
"izbp152ke14timzud0du15z",
0,
7496810496,
4,
178257920,
0,
"[{\"C\":\"0\",\"CMD\":\"/coredns -conf /etc/coredns/Corefile\",\"PID\":\"23543\",\"PPID\":\"23510\",\"STIME\":\"Jun16\",\"TIME\":\"01:55:30\",\"TTY\":\"?\",\"UID\":\"root\"}]",
"k8s_coredns_coredns-66db54ff7f-lgw48_kube-system_6342828e-cc7d-4ef5-95b9-9503ee860da1_0",
"kubernetes",
7.295496,
0,
"16fa0160ca432c11b74b784f13d2a92005ddd0d97b3bb9a2dadf34156e0d0986",
1627438611536,
1443756,
"sha256:67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",
13004800,
"{}",
"kube-system",
"Up 5 weeks",
3603246,
[
"klgjg",
"klgalga",
"gaga"
]
]
]
}
],
"cost": "2ms",
"raw_query": "",
"total_hits": 1
}
]
}
SLS Promql Functions¶
The following is a comparison of function support between influxdb and SLS promql functions:
| func | influxdb | SLS promql | Notes |
|---|---|---|---|
| avg | mean | avg | |
| count | count | count | |
| derivative(Unit rate of change of a column in the statistical table) | derivative | rate | sls does not support by, but can add other aggregation functions by |
| median | median | quantile | |
| match | re | like | |
| bottom(The smallest k non-NULL values of a column in the statistical table) | bottom | bottomk | |
| top(The largest k non-NULL values of a column in the statistical table.) | top | topk | |
| max | max | max | |
| min | min | min | |
| percentile(Percentile of a column in the statistical table) | percentile | quantile | |
| round | round | round | Does not support group by |
| stddev | stddev | stddev | |
| sum | sum | sum | |
| log | log | ln | |
| p50(Percentile) | percentile | quantile | |
| p75(Percentile) | percentile | quantile | |
| p90(Percentile) | percentile | quantile | |
| p99(Percentile) | percentile | quantile | |
| count_distinct | count(distinct()) | None | |
| difference(The difference between the value of a column in the statistical table and the corresponding value of the previous row) | difference | None | |
| distinct | distinct | None | |
| non_negative_derivative(Unit rate of change of a column in the statistical table, only positive values) | non_negative_derivative | None | |
| first(The first data in the table) | first | None | |
| last(The latest data in the table) | last | None | |
| spread(The difference between the maximum and minimum values of a column in the table/supertable) | spread | None | |
| mode(Mode) | mode | None | |
| moving_average(Calculate the moving average of consecutive k values) | moving_average | None |