LogoLogo
Log in|Playground
  • Welcome
    • Introduction
    • FAQ
  • Capabilities
    • Log Management
    • Infrastructure Monitoring
    • Application Performance Monitoring (APM)
      • Application Metrics
      • Traces
      • Supported Technologies
    • Real User Monitoring (RUM)
  • Getting Started
    • Requirements
      • Kubernetes requirements
      • Kernel requirements for eBPF sensor
      • CPU architectures
      • ClickHouse resources
    • Installation & updating
    • Connect Linux hosts
    • Connect RUM
    • 5 quick steps to get you started
  • Use groundcover
    • Monitors
      • Create a new Monitor
      • Issues page
      • Monitor List page
      • Silences page
      • Monitor Catalog page
      • Monitor YAML structure
      • Embedded Grafana Alerts
        • Create a Grafana alert
    • Dashboards
      • Create a dashboard
      • Embedded Grafana Dashboards
        • Create a Grafana dashboard
        • Build alerts & dashboards with Grafana Terraform provider
        • Using groundcover datasources in a Self-hosted Grafana
    • Insights
    • Explore & Monitors query builder
    • Workflows
      • Create a new Workflow
      • Workflow Examples
      • Alert Structure
    • Search & Filter
    • Issues
    • Role-Based Access Control (RBAC)
    • Service Accounts
    • API Keys
    • Log Patterns
    • Drilldown
    • Scraping custom metrics
      • Operator based metrics
      • kube-state-metrics
      • cadvisor metrics
    • Backup & Restore Metrics
    • Metrics & Labels
    • Add custom environment labels
    • Configuring Pipelines
      • Writing Remap Transforms
      • Logs Pipeline Examples
      • Traces Pipeline Examples
      • Logs to Events Pipeline Examples
      • Logs/Traces Sensitive Data Obfuscation
      • Sensitive Data Obfuscation using OTTL
      • Log Filtering using OTTL
    • Querying your groundcover data
      • Query your logs
        • Example queries
        • Logs alerting
      • Query your metrics
      • Querying you data using an API
      • Using KEDA autoscaler with groundcover
  • Log Parsing with OpenTelemetry Pipelines
  • Log and Trace Correlation
  • RUM
  • Customization
    • Customize deployment
      • Agents in host network mode
      • API Key Secret
      • Argo CD
      • On-premise deployment
      • Quay.io registry
      • Configuring sensor deployment coverage
      • Enabling SSL Tracing in Java Applications
    • Customize usage
      • Filtering Kubernetes entities
      • Custom data retention
      • Sensitive data obfuscation
      • Custom storage
      • Custom logs collection
      • Custom labels and annotations
        • Enrich logs and traces with pod labels & annotations
        • Enrich metrics with node labels
      • Disable tracing for specific protocols
      • Tuning resources
      • Controlling the eBPF sampling mechanism
  • Integrations
    • Overview
    • Workflow Integrations
      • Slack Webhook Integration
      • Opsgenie Integration
      • Webhook Integration
        • Incident.io
      • PagerDuty Integration
      • Jira Webhook Integration
    • Data sources
      • OpenTelemetry
        • Traces & Logs
        • Metrics
      • Istio
      • AWS
        • Ingest CloudWatch Metrics
        • Ingest CloudWatch Logs
        • Ingest Logs Stored on S3
        • Integrate CloudWatch Grafana Datasource
      • GCP
        • Ingest Google Cloud Monitoring Metrics
        • Stream Logs using Pub/Sub
        • Integrate Google Cloud Monitoring Grafana Datasource
      • Azure
        • Ingest Azure Monitor Metrics
      • DataDog
        • Traces
        • Metrics
      • FluentBit
      • Fluentd
      • JSON Logs
    • 3rd-party metrics
      • ActiveMQ
      • Aerospike
      • Cassandra
      • CloudFlare
      • Consul
      • CoreDNS
      • Etcd
      • HAProxy
      • Harbor
      • JMeter
      • K6
      • Loki
      • Nginx
      • Pi-hole
      • Postfix
      • RabbitMQ
      • Redpanda
      • SNMP
      • Solr
      • Tomcat
      • Traefik
      • Varnish
      • Vertica
      • Zabbix
    • Source control (Gitlab/Github)
  • Architecture
    • Overview
    • inCloud Managed
      • Setup inCloud Managed with AWS
        • AWS PrivateLink Setup
        • EKS add-on
      • Setup inCloud Managed with GCP
      • Setup inCloud Managed with Azure
      • High Availability
      • Disaster Recovery
      • Ingestion Endpoints
      • Deploying in Sensor-Only mode
    • Security considerations
      • Okta SSO - onboarding
    • Service endpoints inside the cluster
  • Product Updates
    • What's new?
    • Earlier updates
      • 2025
        • Mar 2025
        • Feb 2025
        • Jan 2025
      • 2024
        • Dec 2024
        • Nov 2024
        • Oct 2024
        • Sep 2024
        • Aug 2024
        • July 2024
        • May 2024
        • Apr 2024
        • Mar 2024
        • Feb 2024
        • Jan 2024
      • 2023
        • Dec 2023
        • Nov 2023
        • Oct 2023
Powered by GitBook
On this page
  • Types of queries
  • Examples of instant queries
  • Counting error logs
  • Free text search
  • Selecting and filtering by log attributes
  • Examples of range queries
  • Distribution of logs based on an attribute
Export as PDF
  1. Use groundcover
  2. Querying your groundcover data
  3. Query your logs

Example queries

Last updated 5 months ago

groundcover recommends using as many "strong" filters as possible, like time filters, workload and namespaces filters, log level filters, etc.

These will help making free text and attribute searches much faster and efficient.

The condition enforces time range limits on the query, which are selected based on the time window selected for the query.

Types of queries

When querying logs in the platform it's important to distinguish between two types of queries:

  1. - will return a single value for each group. For example, counting the amount of error logs per workload.

    1. When to use: Threshold-based alerting or when you only need the most recent value

  2. - will return a series of values over time. For example, counting the amount of logs per workload in 5-minute buckets.

    1. When to use: Plotting trends over time

Examples of instant queries

Counting error logs

The query uses the count() operator to get the number of error logs in the defined time window.

SELECT    count()   AS log_count,
          workload  AS workload,
          namespace AS namespace
FROM      groundcover.logs
WHERE     $__timeFilter(timestamp) 
          AND level = 'error'
GROUP     BY workload, namespace

groundcover always saves log levels as lower-cased values, e.g: 'error', 'info'.

Free text search

The query uses the count() operator to get the number of logs generated by the kafkajs-events-consumer workload, which contain the phrase Connection timeout.

SELECT    count()   AS log_count
FROM      groundcover.logs
WHERE     $__timeFilter(timestamp) 
          AND workload = 'kafkajs-events-consumer'
          AND content LIKE '%Connection timeout%'

Selecting and filtering by log attributes

Using formatted logs allows groundcover to automatically extract attributes from the log, which can then be used in alerts and dashboards.

For example, let's look at the following json-formatted log:

{ 
        "http.req.id": "99419211-7283-467f-8d39-b3c4be7a98c2", 
        "http.req.method": "GET",
        "http.req.path": "/product/ZZZZZZZ011", 
        "session": "e17d3d07-13f6-430b-85ed-290863388766", 
        "severity": "debug", 
        "timestamp": "2024-07-11T10:40:42.812301569Z" 
}

The following query uses the string_attributes column to query the "http.req.method" attribute and filter for GET requests:

SELECT    count()   AS log_count
FROM      groundcover.logs
WHERE     $__timeFilter(timestamp) 
          AND string_attributes['http.req.method'] = 'GET'

Examples of range queries

Make sure to select the Time Series query type when using range queries

Distribution of logs based on an attribute

The following query will plot the count of logs grouped by a specific attribute extracted from the logs. It will arrange the counts into 5-minute buckets, showing trend over time.

SELECT 
    toStartOfInterval(timestamp, INTERVAL 5 minute)   AS bucket_timestamp,
    string_attributes['my_attribute']                 AS my_attribute,
    count()                                           AS count
FROM groundcover.logs
WHERE $__timeFilter(timestamp)
      AND workload = 'my_workload'
GROUP by bucket_timestamp, my_attribute
ORDER BY bucket_timestamp ASC
$__timeFilter
Instant queries
Range queries