# Query builder Query Builder turns log and span search into analysis — group, count, and compare across any field directly in Explore. Start by filtering with the search bar, then add **Group by** and **Aggregation** chips to turn raw data into grouped results. From grouped results, drill down into a specific group and apply your refined selection back to the main view. ## How the builder changes your results Explore has two table views: - Rows table: Shows individual logs, spans, or traces that match your search. - Grouped results table: Appears when you add at least one **Group by** or aggregation, showing grouped rows and calculated metrics. ### Build a grouped query 1. Use the search bar to filter the logs you care about. 1. Select **Group by** and choose one or more fields. 1. Select **Aggregation** and choose one or more aggregations. 1. Select **Run**. After the query runs, Explore displays a grouped results table. A chart may appear above the table depending on your grouping and time range. ### Group by fields Use **Group by** to split results into buckets such as `coralogix.metadata.severity`, `service`, or `cx_rum.page_context.page_fragments`. Key behaviors: - You can add multiple group-by fields. The order matters and defines the grouping hierarchy. - High-cardinality fields can increase query cost and make results harder to read. Use them when you need a deep breakdown, then drill down and narrow the time range. *Group by field selector showing available fields for grouping* ### Aggregations Aggregations calculate metrics per group. Common options include: - `count` to count matching data - Numeric aggregations such as average, max, or median, when available Some aggregations require a numeric field. When you choose one of these aggregations, select the numeric field to aggregate. If a group does not contain the selected numeric field, the result for that aggregation can appear as `null` for that group. This is expected when only some logs include the field. You can add multiple aggregations to show several metrics as columns side by side. *Aggregation dropdown showing Count, Count Distinct, Sum, Min, Max, Average* ### Drill down into grouped results When you select a row in the grouped results table, Explore opens a **drilldown panel**. The drilldown panel is separate from the log details panel — it provides a focused investigation view for the selected group rather than details for a single log entry. This view helps you inspect the logs and spans that make up the selected group and refine further. In the drilldown view, you can: - Review a time distribution chart for the selected group. - Highlight a time window on the chart to narrow the drilldown results to that interval. - Apply additional filters using the drilldown search bar. - Select **Apply to main** to continue investigating in the main Explore view. Current behavior of **Apply to main**: - It replaces the main view query with the drilldown query, including any filters you added in the drilldown view. - If you changed the time range in the drilldown view, the main time range updates to match. ### Examples Count logs by severity: 1. Search: `coralogix.metadata.severity:*` 1. Group by: `coralogix.metadata.severity` 1. Aggregation: `count` Find where errors occur by page: 1. Search: `errors AND coralogix.metadata.severity:"Error"` 1. Group by: `cx_rum.page_context.page_fragments` 1. Aggregation: `count` 1. Optional filter to exclude missing values: `_exists_:cx_rum.page_context.page_fragments` Break down errors by organization, page, and user: 1. Search: `errors AND coralogix.metadata.severity:"Error"` 1. Group by (in order): - `cx_rum.labels.organization_name` - `cx_rum.page_context.page_fragments` - `cx_rum.session_context.user_email` 1. Aggregation: `count` ### Tips and troubleshooting - You can also add a grouping directly from the **Fields** sidebar by right-clicking a field and selecting **Add as Grouping**. This adds the field to the Group by clause without opening the Group by dropdown. - Start with a shorter time range while building your query, then expand after results look correct. - If grouping produces too many rows, add fewer group-by fields, use a limit, or drill down into one group and narrow the time range. - If an aggregation shows `null`, confirm the aggregated field exists on the logs in that group and that the field is numeric for numeric aggregations. ## Next steps Discover and apply field-based filters without typing field names manually in [Filter with fields](https://coralogix.com/docs/user-guides/data_exploration/fields/index.md).