where [condition] |
Filters records. Use operators like ==, !=, >, <. |
... | where status_code == 404 |
grep(pattern, field) |
Function to check if a field contains a substring or matches a regex/glob. |
... | where grep(/error/, message) |
count() by [field] |
Groups and counts occurrences of values in a field. |
... | count() by source_ip |
sort [field] [asc|desc] |
Sorts the results. Default is ascending. |
... | sort count desc |
cut [field1], [field2] |
Selects which fields to display in the output. |
... | cut timestamp, source_ip, url |
head [number] |
Limits the number of results returned from the beginning of the set. |
... | head 100 |
tail [number] |
Limits the number of results returned from the end of the set. |
... | tail 50 |
uniq -c |
Counts and shows unique adjacent lines. Often used after sort. |
... | sort request_path | uniq -c |
put new_field := expression |
Adds or modifies fields based on an expression. |
... | put response_time_ms := response_time_s * 1000 |
search [keyword or expression] |
Filters records based on a search expression, including keyword search. |
... | search "login failed" or error_code == 500 |
avg(field) by [group_by_field] |
Calculates the average of a numeric field, optionally grouped by another field. |
... | avg(response_time) by http_method |
sum(field) by [group_by_field] |
Calculates the sum of a numeric field, optionally grouped. |
... | sum(bytes_transferred) by user_id |
min(field) / max(field) |
Finds the minimum or maximum value of a field. |
... | min(timestamp) |
drop [field1], [field2] |
Removes specified fields from records. |
... | drop user_agent, referer |
every(duration) |
Buckets time-series data by a specified duration (e.g., 1h, 5m). Used with by. |
... | count() by every(1h) ts |
type A = B or const X = Y |
Defines a custom type alias or a constant for use in the query. |
type ip_addr = ip
const suspicious_ip = 10.0.0.5
... | where src_ip == suspicious_ip |
fuse |
Merges records with varying fields into a consistent schema, adding nulls where fields are missing. |
... | fuse |
shape(this, ) |
Shapes input data to conform to a target type definition. Combines casting, filling missing fields, and reordering. |
... | shape(this, <{ts:time,id:string,val:float64}>) |
typeof(field) |
Returns the data type of a field. Useful for inspection or conditional logic. |
... | where typeof(status_code) == |
over [array_field] => (sub_query) |
Processes each element of an array or values in a record individually. |
... | over user_roles => (where this == "admin") |
parse_uri(url_field) |
Parses a URL string into a structured record with components like scheme, host, path, query. |
... | put parsed_url := parse_uri(request_url) | where parsed_url.host == "example.com" |
strftime("%Y-%m-%d", ts_field) |
Formats a timestamp field into a string based on the specified format. |
... | put day := strftime("%Y-%m-%d", event_time) |
len(field) |
Returns the length of a string, bytes, array, set, or number of fields in a record. |
... | where len(user_agent) > 100 |