- 필수 기능
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- 디지털 경험
- 소프트웨어 제공
- 보안
- 로그 관리
- 관리
- 인프라스트럭처
- ci
- containers
- csm
- ndm
- otel_guides
- overview
- slos
- synthetics
- tests
- 워크플로
When you need to further refine the results of a log search, use subqueries to compare your results against a secondary group of logs, or filter your logs using data from your Reference Tables.
Use subqueries when you want to filter the results of a query based on the results of a secondary query. See subquery examples for two example scenarios.
To add a subquery filter:
This introduces new elements to the query editor:
service:a
and is associated to a user who is also one of the top users of service:b
.status:error
logs, but also want to filter out status:error
logs where users associated with those logs eventually end up with a status:success
log. See Filter outdated or superseded logs for a detailed example.1000
. Choose between top (highest frequency values) or bottom (lowest frequency values).The following are scenarios where you need to use subqueries to get the information you need from your logs.
Assume you operate an e-commerce platform. A log is generated each time one of your customers tries to place an order. You want to analyze your logs to understand the total value of potential purchases lost due to an ongoing issue with your website.
You realize, however, that an order can fail multiple times before successfully completing: meaning for that particular order ID, there are log entries in the search results for both status:error
logs and status:success
logs. If you extracted lists of unique order IDs from the two queries, this order ID would appear in both. With subqueries, you can obtain a mutually exclusive list.
In this example, you are only interested in logs for orders that did not eventually succeed. To exclude orders that eventually succeeded using the subquery feature:
status:success
logs.Assume you have a service named network_directory
that monitors all internal network resources and access to those resources within your organization. Log events generated by this service include standard attributes (like host
, service
, source
) and custom attributes like the client’s IP address.
Additionally, you have another device-manager
service that tracks all internal assets (infrastructure, employee devices, and so on.)
You are investigating an ongoing attack and observe there is a significant increase in API requests across almost all of your endpoints. You want to first identify IP addresses associated with anomalous request volumes so that you can block them at the firewall level. However, your internal services are some of the largest consumers of these endpoints and you need to exclude them from your query results to avoid mistakenly blocking them.
In this example, use service:network_directory
as your main query, and then define a subquery filter for your device-manager
service to filter out results from recognized devices.
Reference Tables allow you to combine metadata with logs, providing more information to resolve application issues. Add a query filter based on a Reference Table to perform lookup queries. For more information on creating and managing this feature, see the Reference Tables guide.
To apply a query filter with Reference Tables, click on the + Add
button next to the query editor and select Reference Table. In the following example, the Reference Table query filter is used to search all recent logs that include a malicious IP address from a threat intel reference table:
Additional helpful documentation, links, and articles: