The filter statement (also known as 'where') allows you to selectively process only log entries that match a specific condition.
Details:
- Supports comparison operators: ==, !=, >, <, >=, <=
- Supports logical operators: and, or, not
- Can test for the existence of a field with has operator
- Case-insensitive string matching with =~
Examples `==` blob and string are equal
`==` string and blob are equal
`=~` blob and string are case-insensitively equal
`=~` string and blob are case-insensitively equal
`=~` blobs are case-insensitively equal
`!=` blob and string are not equal
`!=` string and blob are not equal
`!~` blob and string are case-insensitively not equal
`!~` string and blob are case-insensitively not equal
`!~` blobs are case-insensitively not equal
`>` whether left ts is after right ts
`>` timestamp greater than
`>=` timestamp greater or equal
`<=` timestamp less or equal
`>=` whether left ts is after or equal to right ts
`<` whether left ts is before right ts
`<=` whether left ts is before or equal to right ts
log(x), natural logarithm of 'x' received from the pipe
isnull(x), return true if 'x' is NULL
is_string(x), returns true if 'x' is string, false if 'x' can't be found
is_string(x), returns false if 'x' isn't string or can't be found
is_f64(x), returns true if 'x' is f64, false if 'x' can't be found
is_f64(x), returns false if 'x' isn't f64 or can't be found
is_i64(x), returns true if 'x' is i64, false if 'x' can't be found
is_i64(x), returns false if 'x' isn't i64 or 'x' can't be found
is_timestamp(x), returns true if 'x' is timestamp, false if 'x' can't be found
is_timestamp(x), returns false if 'x' isn't timestamp or 'x' can't be found
is_duration(x), returns true if 'x' is duration, false if 'x' can't be found
is_duration(x), returns false if 'x' isn't duration or 'x' can't be found
is_blob(x), returns true if 'x' is blob, false if 'x' can't be found
is_blob(x), returns false if 'x' isn't blob or 'x' can't be found
is_bool(x), returns true if 'x' is bool, false if 'x' can't be found
is_bool(x), returns false if 'x' isn't bool or 'x' can't be found
converting a blob to a string
converting a string to a blob
string endswith case-sensitive
string ends with a case-sensitive blob pattern
blob ends with a case-sensitive string pattern
blob ends with a case-sensitive blob pattern
string !endswith case-sensitive
string not ends with a case-sensitive blob pattern
blob not ends with a case-sensitive string pattern
blob not ends with a case-sensitive blob pattern
string endswith case-insensitive
string ends with a case-insensitive blob pattern
blob ends with a case-insensitive string pattern
blob ends with a case-insensitive blob pattern
string !endswith case-insensitive
string not ends with a case-insensitive blob pattern
blob not ends with a case-insensitive string pattern
blob not ends with a case-insensitive blob pattern
string startswith case-sensitive
string starts with a case-sensitive blob pattern
blob starts with a case-sensitive string pattern
blob starts with a case-sensitive blob pattern
string !startswith case-sensitive
string not starts with a case-sensitive blob pattern
blob not starts with a case-sensitive string pattern
blob not starts with a case-sensitive blob pattern
string startswith case-insensitive
string starts with a case-insensitive blob pattern
blob starts with a case-insensitive string pattern
blob starts with a case-insensitive blob pattern
string !startswith case-insensitive
string not starts with a case-insensitive blob pattern
blob not starts with a case-insensitive string pattern
blob not starts with a case-insensitive blob pattern
string !contains string case-sensitive
blob !contains string case-sensitive
string !contains blob case-sensitive
blob !contains blob case-sensitive
string contains string case-sensitive
blob contains string case-sensitive
string contains blob case-sensitive
blob contains blob case-sensitive
string not contains string case-insensitive
blob not contains string case-insensitive
string not contains blob case-insensitive
blob not contains blob case-insensitive
string contains string case-insensitive
blob contains string case-insensitive
string contains blob case-insensitive
blob contains blob case-insensitive
string not equal case-insensitive
string equal case-insensitive
reuse of extended named-column
simple query on `severity_text`
The summarize statement calculates aggregate values over groups of log entries.
Details:
- Supports multiple aggregation functions: count(), sum(), avg(), min(), max()
- Can compute multiple aggregations in a single statement
- Optional 'by' clause groups results by specified fields
- Commonly used with time-based binning for timeseries analysis
Examples a daily histogram of total event counts per minute
a daily histogram of total event counts per minute
log(x), natural logarithm of 'x' received from the pipe
summarize percentile if value lt
summarize stddev if value lt
summarize variance if value lt
summarize count if value lt
summarize dcount if value lt
summarize sum if value lt
summarize min if value lt
summarize max if value lt
summarize average if value gt
summarize average integer becomes float
refer to summarized column
refer to summarized column, sort desc
refer to summarized column, sort asc
refer to summarized column, sort asc
summarize by binned _time
The project statement selects which fields to include in the output.
Details:
- Only the specified fields will appear in the output
- Can include computed columns with field assignment
- Useful for reducing dataset size and focusing on relevant fields
- Can rename fields using the 'as' keyword
Examples datetime_part(part, _time), extract all available parts from timestamp
`+` numerical operator (timestamps and durations)
`>=` greater than or equal
`+` numerical operator (f64)
`+` numerical operator (i64)
`-` numerical operator (f64)
`-` numerical operator (i64)
`-` numerical operator (timestamps and durations)
`/` numerical operator (f64)
`/` numerical operator (i64)
`*` numerical operator (f64)
`*` numerical operator (i64)
`-` numerical negation of literals
ago(x), get timestamp of now() - 'x'
ceiling of a floating point number
floor of a floating point number
pi, returns value of Pi (Ï€)
log, natural logarithm of literal value
log(x), natural logarithm of 'x' referenced from the log data
log(x), natural logarithm of 'x' received from the pipe
log10, common(base-10) logarithm of numeric literal value
log10(x), common(base-10) logarithm of 'x' referenced from the log data
log2, base-2 logarithm of numeric lireral value
log2(x), base-2 logarithm of 'x' referenced from the log data
gamma(x), gamma function of 'x' referenced from the log data
gamma(x), gamma function of numeric literal 'x'
loggamma(x), return loggamma of numeric literal 'x'
loggamma(x), return loggamma of 'x' referenced from the log data
round(x), return round of numeric literal 'x'
round(x, y), return round of floating point number 'x' with 'y' decimals
round(x, y), return round of integer 'x' with 'y' decimals
round(x), return round of floating point number 'x'
round(x, y), return round of 'x' with 'y' decimals
round(x), return round of integer 'x'
pow(x, y), return 'x' raised to the power 'y'
pow(x, y), return 'x' raised to the power 'y'
abs(x), return absolute value of 'x' referenced from the log data
abs(x), return absolute value of numeric literal 'x'
sqrt(x), return square root of 'x' referenced from the log data
sqrt(x), return square root of numeric literal 'x'
sign(x), return sign of 'x' referenced from the log data
sign(x), return sign of numeric literal 'x'
radians(x), convert 'x' degrees to radians
radians(x), convert 'x' degrees to radians
degrees(x), convert 'x' radians to degrees
degrees(x), converts 'x' radians to degrees
sin(x), return sine of 'x' referenced from the log data
sin(x), return sine of numeric literal 'x'
asin(x), return arcsine of 'x' referenced from the log data
asin(x), return arcsine of numeric literal 'x'
cos(x), return cosine of 'x' referenced from the log data
cos(x), return cosine of numeric literal 'x'
acos(x), return arccosine of 'x' referenced from the log data
acos(x), return arccosine of numeric literal 'x'
tan(x), return tangent of 'x' referenced from the log data
tan(x), return tangent of numeric literal 'x'
atan(x), return arctangent of 'x' referenced from the log data
atan(x), return arctangent of numeric literal 'x'
atan2(y, x), returns angle between the positive x-axis and the point (y, x) in radians
atan2(y, x), returns angle between the positive x-axis and the point (y, x) in radians
exp(x), return e^'x' where 'x' is a numeric literal
exp2(x), return 2^'x' where 'x' is a numeric literal
exp10(x), return 10^'x' where 'x' is a numeric literal
isint(x), return true if 'x' is an integer
isint(x), where 'x' is integer
isint(x), where 'x' is a float
isint(x), return false if 'x' is not an integer
isfinite(x), return true if 'x' is a finite number
isfinite(x), where 'x' is numeric literal
isinf(x), return true if 'x' is infinite
isinf(x), where 'x' is numeric literal
isnan(x), return true if 'x' is NaN
isnan(x), where 'x' is numeric literal
make a timestamp from year, month, day, hour, minute, second, subsecond
make a timestamp from year, month, day, hour, minute, second, subsecond
datetime_add(period, amount, datetime), add days to timestamp
datetime_add(period, amount, datetime), add months to timestamp
datetime_add(period, amount, datetime), add years to timestamp
datetime_add(period, amount, datetime), add weeks to timestamp
converting a bool to a string
converting a f64 to a string
converting a i64 to a string
converting a timestamp to a string
take after project key-value
The extend statement adds calculated fields to the output without removing existing fields.
Details:
- Creates new fields based on expressions
- Keeps all existing fields in the output
- Can reference existing fields in the expressions
- Useful for data transformation and enrichment
Examples extend with a scalar, with empty raw
reuse of extended named-column
reuse of extended named-column
The sort statement orders the results based on values in specified fields.
Details:
- Default sort order is ascending
- Use 'desc' for descending sort order
- Can sort by multiple fields (secondary sort)
- Null values are considered smaller than non-null values
Examples refer to summarized column
refer to summarized column, sort desc
refer to summarized column, sort asc
refer to summarized column, sort asc
The take statement (also known as 'limit') restricts the number of rows returned.
Details:
- Returns at most the specified number of rows
- Often used with sort to get top/bottom N values
- Applied after all other operators in the pipeline
Examples reuse of extended named-column
take after project key-value
The top statement returns the first N rows when sorted by the specified fields.
Details:
- Default sort order is descending
- Combines sort and take in a single operation
- Useful for finding maximum or top-ranked values