## Goal By the end of this guide, you should be able to: - Write a basic and meaningful query using real data - Understand and use DataPrime’s piped (`|`) syntax - Recognize the basic query structure and navigate the interface - Use the **Query Assistant** to accelerate query building ## Why it matters Every insight in DataPrime starts with a query. Whether you’re debugging errors, spotting performance issues, or visualizing trends, queries are how you ask the system meaningful questions. This guide helps you get comfortable with the syntax and tools so you can confidently explore your data. Note This guide will go over the basics of querying in order to better learn about your data in this foundations section. We'll get deeper into the art of querying in the [Using DataPrime](https://coralogix.com/docs/dataprime/user-guide/using-dataprime/index.md) section. ### 1. Start with a `source` command In the explore screen type: ```dataprime source logs ``` Running this will show you all of your logs, unfiltered, within the selected timeframe. This explicitly sets the data source to logs. While the line `source logs` is optional, it’s good practice to keep it in your query, especially when joining or enriching from multiple sources later. ### 2. Add a filter to narrow the results Let’s look within a specific AWS region: ```dataprime source logs | filter awsRegion == 'eu-west-1' ``` This filters the logs to only those that are stored in `eu-west-1`. The `filter` command will return in [How to use DataPrime to isolate and shape logs](https://coralogix.com/docs/dataprime/user-guide/using-dataprime/isolate-and-shape/index.md). ### 3. Chain commands using piped syntax In DataPrime, each command passes its output to the next using `|`. For example instead of showing all of the logs in `eu-west-1`, perhaps we want to see *how many* logs are coming from `eu-west-1`: ```dataprime source logs | filter awsRegion == 'eu-west-1' | count ``` This returns a single number: how many logs were found in the AWS region `eu-west-1`. You can go further: ```dataprime source logs | filter awsRegion == 'eu-west-1' | groupby sourceIPAddress_geoip.city_name aggregate count() as location ``` Now you’re grouping all of the `eu-west-1` by the source location of the IP address. The `groupby` command will result in a table. | Source | Location | | -------- | -------- | | ashburn | 1 | | boardman | 25 | | columbus | 33 | | dublin | 24 | Note It’s ok if you don’t understand the logic yet, the point here is to demonstrate that DataPrime is a piped language. ### Default time range The default time range is `Last 15 minutes` . This can be changed on the explore screen- to the right of the DataPrime query input- or, ideally, in the query itself, which we'll explore in a later section. This query shows logs only from the last 2 minutes. ```dataprime source logs | filter now() - $m.timestamp < 2m ``` Note The `$m` prefix stands for metadata mechanism which will be explained in the next section. Also the query may look different depending on the structure of your logs. ### Use the Query Assistant for faster exploration Click the **sparkle icon** in the editor toolbar to open the **Query Assistant**. You can describe what you want in plain language, like: > “Show the slowest responses in the last hour” The result will be something like this: ```dataprime filter now() - $m.timestamp < 1h | sort by duration desc | limit 20 ``` The assistant will generate a DataPrime query you can run or customize. It’s a great way to learn patterns or get unstuck when exploring unfamiliar data guides. ### Explore your results interactively After running a query, the results pane displays matching documents. By right clicking on any key or value, you can interact with it with options like: - **Add to filter list** – Refine your query with one click - **Add as column** – Make a field visible in the results table - **Show graph for key** – See trends over time - **Group top graph by key** – Visualize distribution - **Manage actions** – Trigger alerts or workflows - **Copy JSON path** or v**alue** – Quickly reuse fields - **Include/exclude in query** – Modify your query directly - **Pin** – Keep key fields visible - **Open URL** – Click through if the field is a valid URL This interface layer makes it easy to iterate quickly and build queries field-by-field. ## **Expected output** - `source logs`: unfiltered logs from the last 15 minutes - `source logs | filter status_code == 500`: only server error logs (we'll see a better way to do this specific query later) - `source logs | count`: a count of matching logs - `source logs | groupby subsystem_name aggregate count() as error_count`: error counts per subsystem ______________________________________________________________________ ## **Common pitfalls** - **Query returns no results**: Try expanding the time range or relaxing your filter conditions. - **Missing pipes (`|`) between commands**: Each step in your query needs a pipe. - **Incorrect field names**: Use autocomplete or click fields in the result viewer to get the exact key.