Write a LogQL query

Now that you’ve defined the requirements for your visualization, it’s time to write the query. A query is an expression that specifies the dataset used in the visualization.

LogQL generates two types of queries:

• Log queries: Select and return log lines
• Metric queries: Wrap a log query in a function to extract and return metrics

Elements of a LogQL query

A LogQL query consists of the following basic elements, as shown in the query count_over_time({namespace="game-2048"} |= "error" [$__auto]), which selects logs from the game-app namespace, filters for lines containing “error”, and counts them over 5-minute intervals.

Log stream selector

A log stream selector determines which log streams to include in a query’s results. A log stream is a unique source of log entries, defined by a combination of labels and their values. The selector is written by wrapping the label matchers in curly braces.

For example, {namespace = game-app} is a log stream selector that uses a filter expression. This selector returns all logs associated with a game app that’s being monitored.

Other common examples of selectors include:

• service_name: Identifies the application or service generating the logs
• pod: Specifies the name of the pod where the log originated
• filename: Denotes the source file of the logs

Log pipeline (optional)

A log pipeline can be appended to a log stream selector to further process and filter log streams. It is composed of a set of expressions. Each expression is executed in left to right sequence for each log line. If an expression filters out a log line, the pipeline will stop processing the current log line and start processing the next log line.

For example, |= "error" is the log pipeline, which uses a line filter expression to retrieve only those log lines that contain the word error. You can also use other expressions, such as parser expressions or line format expressions.

Operation (optional)

An operation creates a metric query. Metric queries extend log queries by applying a function to log query results. This powerful feature creates metrics from logs.

For example, the count_over_time operation calculates the number of error logs received for each time interval.

1. Select a key-value pair from the Label filter drop-down list.

   For example, select namespace, =, and game-app.

2. Did you know? If you are unsure of the label name, you can click Label browser and search for the label.
3. Click Label browser to explore available labels and values.

4. Click Refresh located in the top-right corner of the dashboard.

   The visualization should populate with data.

5. Did you know? At this stage, you can save the dashboard and share it with others. The current dashboard includes a Logs panel displaying all logs within the selected namespace. However, this view offers limited utility for troubleshooting.

   In the next steps, you’ll learn how to apply a filter expression and aggregation to the log data to monitor the count of error logs per time interval.

6. To define a log pipeline expression, select a line filter operator.

   For example, select Line contains and enter error. The system returns all error logs. All other log types (warning, info) aren’t included in the Logs panel.

7. Click + Operations and select a function.

   For example, click Range function > Count over time.

8. From the Visualization drop-down list located in the upper-right of the page, select Time series.
9. Did you know? When you apply an operation to log data, you are creating a metrics LogQL query.

10. Click Refresh located in the top-right corner of the dashboard.

    The visualization updates to show a time series graph.

More to explore (optional)

At this point in your journey, you can explore the following paths:

• Understand labels
• Log queries
• Log label filters
• Metric queries
• Log operations