Skip to content

DataPrime Explorer

DataPrime Explorer is a query mode within Explore that lets you write DataPrime queries directly alongside your logs, without leaving the current view. Use it when you need the precision and flexibility of DataPrime's pipeline syntax for filtering, transforming, and aggregating log data at scale.

DataPrime mode with templates table DataPrime mode with templates table

Activate DataPrime Explorer

Switch to DataPrime mode from within Explore:

  1. Open Explore.
  2. In the query bar area, select DataPrime to switch from Builder mode to DataPrime mode.

The search bar is replaced by the DataPrime query editor. Your current time range and dataset selection are preserved.

To switch back to Builder mode, select Builder. Note that a DataPrime query does not automatically convert back to a Lucene query or Builder configuration.

Write a query

DataPrime uses a pipeline syntax: each step in the pipeline transforms or filters the data passed from the previous step. Start with a source statement, then chain operators with the | pipe character.

Example query — filter for errors and group by subsystem:

source logs
| filter $d.coralogix.metadata.severity == 'Error'
| groupby $d.coralogix.metadata.subsystemName agg count() as error_count
| orderby error_count desc
| limit 20

This query:

  1. Sources data from the logs dataset.
  2. Filters to only log entries where severity is Error.
  3. Groups the filtered logs by subsystem and counts them.
  4. Orders results by error count, highest first.
  5. Limits results to the top 20 subsystems.

For full DataPrime syntax and operator reference, see the DataPrime documentation.

Convert a Lucene query to DataPrime

Explore does not automatically convert Lucene queries to DataPrime. When you switch to DataPrime mode, the editor starts with a blank query or the last DataPrime query you ran.

To replicate a Lucene query in DataPrime:

  1. Identify the field and value from the Lucene query. For example, coralogix.metadata.severity:"Error".
  2. Write the equivalent DataPrime filter: filter $d.coralogix.metadata.severity == 'Error'.
  3. Add any grouping or aggregation steps as needed.

DataPrime field references use a prefix notation: $d for log data fields, $m for metadata fields, and $l for labels.

Switch to DataPrime dialog with convert options Switch to DataPrime dialog with convert options

Work with results

DataPrime results appear in the results panel below the query editor. The format depends on the query type.

Raw results

Queries without a groupby operator return individual log entries. Results appear in the logs grid table, where you can:

  • Select a row to open the log details panel.
  • Use Manage columns to add fields as columns.
  • Sort by column values.

Aggregated results

Queries with a groupby operator return aggregated rows. Results appear in a grouped results table, where each row represents a group and its calculated metrics.

Select a row in the grouped results table to open a drilldown panel and inspect the underlying logs for that group.

Visualize results

Tip

Chart visualizations are available in Builder mode. In DataPrime mode, results are displayed in the logs grid table. To visualize a DataPrime aggregation as a chart, switch to Builder mode and replicate the query using the Group by and Aggregation controls.

Learn more

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Explore Actions
Next Get started with Explore Logs