DQL language reference
A DQL query contains at least one or more commands, each of which returns tabular output containing records (lines or rows) and fields (columns). All commands are sequenced by a | (pipe). Data flows or is piped from one command to the next. The data is filtered or manipulated at each step and then streamed into the following step.
The following DQL query uses seven pipeline steps to get from raw log data to an aggregated table showing performance statistics for task execution.
-
Line 1
fetch logs, from:now()-1h
You retrieve the log data using the
fetch
command. In addition, the optionalfrom:
parameter specifies the query start timestamp. -
Line 2
// fetched all logs from the last hour: now() – 1h to now()
Commented out line. This line will be omitted in query execution.
-
Line 3
| filter endsWith(log.source, "pgi.log")
The
filter
command filters the log records based on theendsWith
function that retrieves log files whose names end with the predefined string (thepgi.log
string). -
Line 4
| parse content, "LD IPADDR:ip ':' LONG:payload SPACE LD 'HTTP_STATUS' SPACE INT:http_status LD (EOL| EOS)"
We use the
parse
command to extract key-value pairs containing execution statistics out of the raw log text string. In this case, it adds theIP address
,payload
andhttp_status
fields to the result and transforms their data types into required formats. -
Line 5, 6, 7, 8
| summarize total_payload = sum(payload), failedRequests = countIf(http_status >= 400), successfulRequests = countIf(http_status <= 400), by:{ip, host.name}
The
summarize
command is a key element of DQL as it allows multiple aggregations across one or more fields. This query groups the results byip
andhost.name
. The retrieved records include the total value of payload, calculated using thesum
function, and two columns calculated using thecountif
function:- a column with numbers of failed requests (defined as those having
http_status
>=400) - a column with numbers of successful requests (defined as those having
http_status
<400)
This query groups the retrieved records byip
andhost.name
.
- a column with numbers of failed requests (defined as those having
-
Line 9
|fieldsAdd total_payload_MB = total_payload/1000000
With the
fieldsAdd
command, you add a new field showing the total payload converted into megabytes, basing on a mathematical expression. -
Line 10
|fields ip, host.name, failedRequests, successfulRequests, total_payload_MB
With the
fields
command, you can determine which fields you need to retrieve. -
Line 11
| sort failedRequests desc
The
sort
command is used to finalize the result. In this case, the results are sorted according to the number of failed requests, from the highest to lowest.
DQL key building blocks
- Commands
- Functions
Functions can be used to perform any desired computation on fields of DQL commands.
- Data types
The Dynatrace Query Language operates with strongly typed data: functions and operators accept only declared types of data. The type is assigned to data during parsing or by using casting functions. DQL also recognizes value types expressed in literal notation (for example, using constant values in functions).