Monitor dataset schema changes for compliance

Problem / Use case

You need to track datasets that undergo frequent schema updates. By focusing on INFO-level schema events and counting unique snapshotId values, this recipe helps highlight which datasets are changing most often — an important indicator for compliance and schema governance.

Query

source system/engine.schema_fields
| filter $m.severity == INFO
| groupby dataset
    aggregate distinct_count(snapshotId) as schema_change_count
| sortby schema_change_count desc

Expected output

dataset	schema_change_count
aaa.audit_events	10
engine.schema_fields	10
logs	10
labs.limitViolations	10
spans	10
engine.queries	6

Variations

Filter for ERROR-level events to identify failed or invalid schema updates.
Add max($m.timestamp) to include the most recent change time per dataset.
Combine with count() to measure total schema events alongside distinct snapshots.

TL;DR

Count distinct schema snapshot IDs by dataset to surface frequently changing schemas — essential for monitoring data stability and compliance.

Previous Audit schema field types and values by dataset

Next Count queries using joins by team