Skip to content

Query Builder

Query Builder turns log and span search into analysis — group, count, and compare across any field directly in Explore. Start by filtering with the search bar, then add Group by and Aggregation chips to turn raw data into grouped results. From grouped results, drill down into a specific group and apply your refined selection back to the main view.

How the builder changes your results

Explore has two table views:

  • Rows table: Shows individual logs, spans, or traces that match your search.
  • Grouped results table: Appears when you add at least one Group by or aggregation, showing grouped rows and calculated metrics.

Build a grouped query

  1. Use the search bar to filter the logs you care about.
  2. Select Group by and choose one or more fields.
  3. Select Aggregation and choose one or more aggregations.
  4. Select Run.

After the query runs, Explore displays a grouped results table. A chart may appear above the table depending on your grouping and time range.

Group by fields

Use Group by to split results into buckets such as coralogix.metadata.severity, service, or cx_rum.page_context.page_fragments.

Key behaviors:

  • You can add multiple group-by fields. The order matters and defines the grouping hierarchy.
  • High-cardinality fields can increase query cost and make results harder to read. Use them when you need a deep breakdown, then drill down and narrow the time range.

Group by field selector showing available fields for grouping Group by field selector showing available fields for grouping

Aggregations

Aggregations calculate metrics per group. Common options include:

  • count to count matching data
  • Numeric aggregations such as average, max, or median, when available

Some aggregations require a numeric field. When you choose one of these aggregations, select the numeric field to aggregate.

If a group does not contain the selected numeric field, the result for that aggregation can appear as null for that group. This is expected when only some logs include the field.

You can add multiple aggregations to show several metrics as columns side by side.

Aggregation dropdown showing Count, Count Distinct, Sum, Min, Max, Average Aggregation dropdown showing Count, Count Distinct, Sum, Min, Max, Average

Drill down into grouped results

When you select a row in the grouped results table, Explore opens a drilldown panel. The drilldown panel is separate from the log details panel — it provides a focused investigation view for the selected group rather than details for a single log entry.

This view helps you inspect the logs and spans that make up the selected group and refine further.

In the drilldown view, you can:

  • Review a time distribution chart for the selected group.
  • Highlight a time window on the chart to narrow the drilldown results to that interval.
  • Apply additional filters using the drilldown search bar.
  • Select Apply to main to continue investigating in the main Explore view.

Current behavior of Apply to main:

  • It replaces the main view query with the drilldown query, including any filters you added in the drilldown view.
  • If you changed the time range in the drilldown view, the main time range updates to match.

Examples

Count logs by severity:

  1. Search: coralogix.metadata.severity:*
  2. Group by: coralogix.metadata.severity
  3. Aggregation: count

Find where errors occur by page:

  1. Search: errors AND coralogix.metadata.severity:"Error"
  2. Group by: cx_rum.page_context.page_fragments
  3. Aggregation: count
  4. Optional filter to exclude missing values: _exists_:cx_rum.page_context.page_fragments

Break down errors by organization, page, and user:

  1. Search: errors AND coralogix.metadata.severity:"Error"
  2. Group by (in order):
    • cx_rum.labels.organization_name
    • cx_rum.page_context.page_fragments
    • cx_rum.session_context.user_email
  3. Aggregation: count

Tips and troubleshooting

  • You can also add a grouping directly from the Fields sidebar by right-clicking a field and selecting Add as Grouping. This adds the field to the Group by clause without opening the Group by dropdown.
  • Start with a shorter time range while building your query, then expand after results look correct.
  • If grouping produces too many rows, add fewer group-by fields, use a limit, or drill down into one group and narrow the time range.
  • If an aggregation shows null, confirm the aggregated field exists on the logs in that group and that the field is numeric for numeric aggregations.
Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Search
Next Fields