github.com/yankunsam/loki/v2@v2.6.3-0.20220817130409-389df5235c27/docs/sources/logql/query_examples.md

github.com/yankunsam/loki/v2@v2.6.3-0.20220817130409-389df5235c27/docs/sources/logql/query_examples.md (about)

     1  ---
     2  title: Query examples
     3  menuTitle: Query examples
     4  description: LogQL query examples with explanations on what those queries accomplish.
     5  weight: 50
     6  ---
     7  
     8  # Query examples
     9  
    10  These LogQL query examples have explanations of what the queries accomplish.
    11  
    12  ## Log query examples
    13  
    14  ### Examples that filter on IP address 
    15  
    16  - Return log lines that are not within a range of IPv4 addresses:
    17  
    18      ```logql
    19      {job_name="myapp"} != ip("192.168.4.5-192.168.4.20")
    20      ```
    21  
    22  
    23  - This example matches log lines with all IPv4 subnet values `192.168.4.5/16` except IP address `192.168.4.2`:
    24  
    25      ```logql
    26      {job_name="myapp"}
    27  		| logfmt
    28  		| addr = ip("192.168.4.5/16")
    29  		| addr != ip("192.168.4.2")
    30      ```
    31  
    32  ### Examples that aid in security evaluation
    33  
    34  - Extract the user and IP address of failed logins from Linux `/var/log/secure`
    35  
    36      ```logql
    37      {job="security"} 
    38          |~ "Invalid user.*"
    39          | regexp "(^(?P<user>\\S+ {1,2}){8})"
    40          | regexp "(^(?P<ip>\\S+ {1,2}){10})"
    41          | line_format "IP = {{.ip}}\tUSER = {{.user}}"
    42      ```
    43     
    44  - Get successful logins from Linux `/var/log/secure`
    45  
    46      ```logql
    47      {job="security"}
    48          != "grafana_com"
    49          |= "session opened"
    50          != "sudo: "
    51          |regexp "(^(?P<user>\\S+ {1,2}){11})"
    52          | line_format "USER = {{.user}}"
    53      ```
    54  
    55  ## Metrics query examples
    56  
    57  - Return the per-second rate of all non-timeout errors
    58  within the last minutes per host for the MySQL job,
    59  and only include errors whose duration is above ten seconds.
    60  
    61      ```
    62      sum by (host) (rate({job="mysql"}
    63          |= "error" != "timeout"
    64          | json
    65          | duration > 10s [1m]))
    66      ```
    67  
    68  ## Multiple filtering stages examples
    69  
    70  Query results are gathered by successive evaluation of parts of the query from left to right.
    71  To make querying efficient,
    72  order the filtering stages left to right:
    73  
    74  1. stream selector
    75  2. line filters
    76  3. label filters
    77  
    78  Consider the query:
    79  
    80  ```logql
    81  {cluster="ops-tools1", namespace="loki-dev", job="loki-dev/query-frontend"} |= "metrics.go" != "out of order" | logfmt | duration > 30s or status_code != "200"
    82  ```
    83  Within this query, the stream selector is
    84  
    85  ```
    86  {cluster="ops-tools1", namespace="loki-dev", job="loki-dev/query-frontend"}
    87  ```
    88  
    89  There are two line filters: 
    90  `|= "metrics.go"`
    91  and `!="out of order"`.
    92  Of the log lines identified with the stream selector,
    93  the query results
    94  include only those log lines that contain the string "metrics.go"
    95  and do not contain the string "out of order".
    96  
    97  The `logfmt` parser produces the `duration` and `status_code` labels,
    98  such that they can be used by a label filter.
    99  
   100  The label filter 
   101  `| duration > 30s or status_code!="200"`
   102  further filters out log lines.
   103  It includes those log lines that contain a `status_code` label
   104  with any value other than the value 200,
   105  as well as log lines that contain a `duration` label
   106  with a value greater than 30 sections,
   107  
   108  While every query will have a stream selector,
   109  not all queries will have line and label filters.
   110  
   111  ## Examples that use multiple parsers
   112  
   113  Consider this logfmt log line.
   114  To extract the method and the path of this logfmt log line,
   115  
   116  ```log
   117  level=debug ts=2020-10-02T10:10:42.092268913Z caller=logging.go:66 traceID=a9d4d8a928d8db1 msg="POST /api/prom/api/v1/query_range (200) 1.5s"
   118  ```
   119  
   120  To extract the method and the path,
   121  use multiple parsers (logfmt and regexp):
   122  
   123  ```logql
   124  {job="loki-ops/query-frontend"} | logfmt | line_format "{{.msg}}" | regexp "(?P<method>\\w+) (?P<path>[\\w|/]+) \\((?P<status>\\d+?)\\) (?P<duration>.*)"
   125  ```
   126  
   127  This is possible because the `| line_format` reformats the log line to become `POST /api/prom/api/v1/query_range (200) 1.5s` which can then be parsed with the `| regexp ...` parser.
   128  
   129  ## Log line formatting examples
   130  
   131  The following query shows how you can reformat a log line to make it easier to read on screen.
   132  
   133  ```logql
   134  {cluster="ops-tools1", name="querier", namespace="loki-dev"}
   135    |= "metrics.go" != "loki-canary"
   136    | logfmt
   137    | query != ""
   138    | label_format query="{{ Replace .query \"\\n\" \"\" -1 }}"
   139    | line_format "{{ .ts}}\t{{.duration}}\ttraceID = {{.traceID}}\t{{ printf \"%-100.100s\" .query }} "
   140  ```
   141  
   142  Label formatting is used to sanitize the query while the line format reduce the amount of information and creates a tabular output.
   143  
   144  For these given log lines:
   145  
   146  ```log
   147  level=info ts=2020-10-23T20:32:18.094668233Z caller=metrics.go:81 org_id=29 traceID=1980d41501b57b68 latency=fast query="{cluster=\"ops-tools1\", job=\"loki-ops/query-frontend\"} |= \"query_range\"" query_type=filter range_type=range length=15m0s step=7s duration=650.22401ms status=200 throughput_mb=1.529717 total_bytes_mb=0.994659
   148  level=info ts=2020-10-23T20:32:18.068866235Z caller=metrics.go:81 org_id=29 traceID=1980d41501b57b68 latency=fast query="{cluster=\"ops-tools1\", job=\"loki-ops/query-frontend\"} |= \"query_range\"" query_type=filter range_type=range length=15m0s step=7s duration=624.008132ms status=200 throughput_mb=0.693449 total_bytes_mb=0.432718
   149  ```
   150  
   151  The result would be:
   152  
   153  ```log
   154  2020-10-23T20:32:18.094668233Z	650.22401ms	    traceID = 1980d41501b57b68	{cluster="ops-tools1", job="loki-ops/query-frontend"} |= "query_range"
   155  2020-10-23T20:32:18.068866235Z	624.008132ms	traceID = 1980d41501b57b68	{cluster="ops-tools1", job="loki-ops/query-frontend"} |= "query_range"
   156  ```
   157  
   158  ## Unwrap examples
   159  
   160  - Calculate the p99 of the nginx-ingress latency by path:
   161  
   162      ```logql
   163      quantile_over_time(0.99,
   164        {cluster="ops-tools1",container="ingress-nginx"}
   165          | json
   166          | __error__ = ""
   167          | unwrap request_time [1m]) by (path)
   168      ```
   169  
   170  - Calculate the quantity of bytes processed per organization ID:
   171  
   172      ```logql
   173      sum by (org_id) (
   174        sum_over_time(
   175        {cluster="ops-tools1",container="loki-dev"}
   176            |= "metrics.go"
   177            | logfmt
   178            | unwrap bytes_processed [1m])
   179        )
   180      ```
   181  
   182  ## Vector aggregation examples
   183  
   184  Get the top 10 applications by the highest log throughput:
   185  
   186  ```logql
   187  topk(10,sum(rate({region="us-east1"}[5m])) by (name))
   188  ```
   189  
   190  Get the count of log lines for the last five minutes for a specified job, grouping
   191  by level:
   192  
   193  ```logql
   194  sum(count_over_time({job="mysql"}[5m])) by (level)
   195  ```
   196  
   197  Get the rate of HTTP GET requests to the `/home` endpoint for NGINX logs by region:
   198  
   199  ```logql
   200  avg(rate(({job="nginx"} |= "GET" | json | path="/home")[10s])) by (region)
   201  ```
   202