Skip to main content
Sumo Logic

Metrics Queries

This topic explains how to construct metrics queries and provides examples. See the following topics for additional information:

Structure of metrics queries

To create a metrics visualization on the Metrics page, you can specify up to four metrics queries. Enter each query in a separate query text box (A, B, C, and D). Query text boxes are added as needed, up to the maximum of four.

metrics_query callout with multiple entries.jpg

  • Each metrics query must include one or more selectors (filters), which can be either of the following:
    • Sequence of space-separated tag=value pairs. 
      Example: 
      cluster=search node=search-1
    • Unqualified strings (value with no key).
      Example:
      statistic
  • Each query can optionally include one or more operators (avg, count, min, max, sum, timeshift, pct, parse)
    Example:
    dep=prod metric=cpu_system | avg
     
  • Grouping of results by operator is supported, as in this example, which groups average results by node.

Example:
dep=prod metric=cpu_system | avg by node

Multiple selectors in a query

If you specify multiple selectors in one query, results are returned if all values match.
Example: The following query returns time series that match deploy=prod AND have the word search appearing anywhere in the metadata.
deploy=prod search

Multiple queries

If you specify multiple queries, each is displayed as a separate set of time series charts. In the following example, the time series that match query A are shown with solid lines and the time series that matches query B is shown as a dotted line. See Work with Metrics Visualizations to learn about displaying particular time series and changing line styles.

metrics_2 charts.jpg

How to construct a metrics query

On the Metrics page, click inside the query text box. When you first click inside the box, a help bubble opens to show the general query syntax:

SELECTORS [| OPERATOR | ...]

The help bubble also includes examples:

_sourceCategory=category* metric=CPU_User | avg by _sourceHost
prod.*.*.disk.space | max by node

To dismiss the bubble and display suggestions, press the spacebar. To dismiss the bubble without displaying suggestions, press esc.

As you start typing, the available choices are displayed.  

metrics_auto choices.jpg

Follow these guidelines to complete your queries:

  • Select from the listed options or type directly into the text area.

  • To see all of the matching tags, values, or metrics, select View All TagsView All Values, or View All Metrics. A dialog box opens for you to make a selection that matches, including any text that you've already entered. Scroll or enter text in the Search field to narrow down your search, and click Add to Query when you've made a selection.
    metrics_view all values.jpg
     

  • Specify multiple pairs within a query for an AND match. If you enter multiple pairs manually, make sure to include a space between the tag=value pairs.

Example: This query matches HostMetrics AND the instance identifier i-e0b45532:

_contentType=HostMetrics InstanceId=i-e0b455532
​​​​

  • Create up to four queries using multiple query text boxes. Each query is presented with its own graph or graphs in the chart area. See Work with Metrics Visualizations for information on viewing and managing the display of multiple queries.

    When you add a query, an additional query text box is added (up to four total). To delete any of the query text boxes, hover over the text box and click the Delete icon on the right. 
  • You can use wildcard matches for selectors and/or values, as in these examples:
    sys*  and *tem both match system.
    foo* matches all of the following:
    footag-a=
    foo1tag-b=
    tag-c=foo2

  • You can include aggregation functions and other operators, as in this example: 
    _sourceHost=sys1-cloudcollector-* metric=CPU_Idle | avg