Whether you are just starting your observability journey or already are an expert, our courses will help advance your knowledge and practical skills.
Expert insight, best practices and information on everything related to Observability issues, trends and solutions.
Explore our guides on a broad range of observability related topics.
The user-data (JSON):
$d / $data
Engine-related event metadata. Ex – “timestamp”, “severity”, “logid”, “priorityclass”:
$m / $metadata
User-managed event labels. Flat, key/values (strings only) Known labels: “applicationname”, “subsystemname”, “category”, “classname”, “computername”, “methodname”, “threadid”, “ipaddress”:
$l / $labels
$d.kubernetes.pod_name
$l.applicationName
Refer to the key key
inside the key stats
and apply lowercase function to it:
$d.stats.key.toLowerCase()
The result of multiplying the value of 8 and the radius
key casted to number (does not work now will be fixed soon):
$d.radius:num * 8
The logical timestamp of the event (any keypath is valid expression):
$m.timestamp
Filter data matching expression-predicate:
filter <expression>
filter $d.k8s.pod_name == 'pod1'
Find entries containing search-string:
wildfind '<search-string>’
wildfind 'foo'
Find entries matching lucene-query:
lucene '<lucene-query>’
lucene 'hello -world'
Find entries containing search-string in given keypath:
find '<search-string>' in <key-path>
find 'west' in $d.kubernetes.labels.CX_REGION
****Order entries by given expression:
order by <expression>
order by $d.priority * -1
Take first N entries:
limit <N>
limit 10
Leave only the keypaths provided, discarding all other keys from an entry:
choose <keypath>, <keypath> …, <keypath>
Cast any expression to one of the following types [bool, num, string]:
: (cast)
filter $d.x:num > 3
Extract parts of one keypath into new keypath using extractor-function:
extract <keypath> into <keypath> using <extractor-function>
"y"
of shape: {"name" : "foo" , "id" : "42"}
given x:"Name:foo Id:42”
extract $d.x into $d.y using regexp(e=/Name:(?<name>[\\w\\s]+) Id:(?<id>\\d+)/)
"y"
of shape: {"a" : "42", "b" : "11"}
given x: "a=42 b=11"
extract $d.x into $d.y using kv(pair_delimiter=' ', key_delimiter='=')
"y"
of shape: {"a": 1, "b": true}
given x:"{\\"a\\": 1, \\"b\\": true}"
(stringified json object)extract $d.x into $d.y using jsonobject()
Select the 10 ‘successful’ logs ordered by department_id:
source logs | find 'success' in $d.result | order by $d.department_id | limit 10
Find cx-cluster logs (without knowing the log structure):
source logs | wildfind 'cx-cluster'
Select 100 log messages along with ‘processed’ statuses from ‘enrichment-ingest’ service where processed ≠ 0:
source logs | lucene 'NOT log:"stderr F"' | lucene 'log:"stdout F"' | filter $d.kubernetes.labels.CX_SERVICE_NAME != 'enrichment-ingest' | extract $d.log into $d.stats using regexp(e=/.*T?(?<processed>\\d+:\\d+:\\d+[.,]\\d+).*/) | filter $d.stats.processed != '0' | limit 100
[NEW] DataPrime now supports Data Aggregation, for more information and examples please refer to the DataPrime Cheat Sheet.