Skip to content

Making a query

Goal

By the end of this guide, you should be able to:

  • Write a basic and meaningful query using real data
  • Understand and use DataPrime’s piped (|) syntax
  • Recognize the basic query structure and navigate the interface
  • Use the Query Assistant to accelerate query building

Why it matters

Every insight in DataPrime starts with a query. Whether you’re debugging errors, spotting performance issues, or visualizing trends, queries are how you ask the system meaningful questions. This guide helps you get comfortable with the syntax and tools so you can confidently explore your data.

Note

This guide will go over the basics of querying in order to better learn about your data in this foundations section. We'll get deeper into the art of querying in the Using DataPrime section.

1. Start with a source command

In the explore screen type:

source logs

Running this will show you all of your logs, unfiltered, within the selected timeframe.

This explicitly sets the data source to logs. While the line source logs is optional, it’s good practice to keep it in your query, especially when joining or enriching from multiple sources later.

2. Add a filter to narrow the results

Let’s look within a specific AWS region:

source logs
| filter awsRegion == 'eu-west-1'

This filters the logs to only those that are stored in eu-west-1.

3. Chain commands using piped syntax

In DataPrime, each command passes its output to the next using |. For example instead of showing all of the logs in eu-west-1, perhaps we want to see how many logs are coming from eu-west-1:

source logs
| filter awsRegion == 'eu-west-1'
| count

This returns a single number: how many logs were found in the AWS region eu-west-1.

You can go further:

source logs
| filter awsRegion == 'eu-west-1'
| groupby sourceIPAddress_geoip.city_name aggregate count() as location

Now you’re grouping all of the eu-west-1 by the source location of the IP address. The groupby command will result in a table.
SourceLocation
ashburn1
boardman25
columbus33
dublin24

Note

It’s ok if you don’t understand the logic yet, the point here is to demonstrate that DataPrime is a piped language.

Default time range

The default time range is Last 15 minutes . This can be changed on the explore screen- to the right of the DataPrime query input- or, ideally, in the query itself, which we'll explore in a later section.

This query shows logs only from the last 2 minutes.

source logs
| filter now() - $m.timestamp < 2m

Note

The $m prefix stands for metadata mechanism which will be explained in the next section. Also the query may look different depending on the structure of your logs.

Use the Query Assistant for faster exploration

Click the sparkle icon in the editor toolbar to open the Query Assistant.

You can describe what you want in plain language, like:

“Show the slowest responses in the last hour”

The result will be something like this:

filter now() - $m.timestamp < 1h
| sort by duration desc
| limit 20

The assistant will generate a DataPrime query you can run or customize. It’s a great way to learn patterns or get unstuck when exploring unfamiliar data guides.

Explore your results interactively

After running a query, the results pane displays matching documents.

By right clicking on any key or value, you can interact with it with options like:

  • Add to filter list – Refine your query with one click
  • Add as column – Make a field visible in the results table
  • Show graph for key – See trends over time
  • Group top graph by key – Visualize distribution
  • Manage actions – Trigger alerts or workflows
  • Copy JSON path or value – Quickly reuse fields
  • Include/exclude in query – Modify your query directly
  • Pin – Keep key fields visible
  • Open URL – Click through if the field is a valid URL

This interface layer makes it easy to iterate quickly and build queries field-by-field.

Expected output

  • source logs: unfiltered logs from the last 15 minutes
  • source logs | filter status_code == 500: only server error logs (we'll see a better way to do this specific query later)
  • source logs | count: a count of matching logs
  • source logs | groupby subsystem_name aggregate count() as error_count: error counts per subsystem

Common pitfalls

  • Query returns no results: Try expanding the time range or relaxing your filter conditions.
  • Missing pipes (|) between commands: Each step in your query needs a pipe.
  • Incorrect field names: Use autocomplete or click fields in the result viewer to get the exact key.
Previous Previous Getting oriented
Next Data access mechanisms Next
Home
User Guides User Guides
DataPrime DataPrime
Integrations Integrations
OpenTelemetry OpenTelemetry
Developer Portal Developer Portal