Last updated at Mon, 06 Nov 2017 21:02:37 GMT
The Logentries query language, also known as LEQL, offers a very expressive way to query log data. If you’re unfamiliar with LEQL you can get a nice overview from one of our previous blog posts here. Today we’re excited to announce the latest extension of LEQL’s capabilities – Limit.
If you want to skip reading about this and just go try it out for yourself then head over to the advanced view in LEQL Querybuilder and add the limit function to some of your existing queries and see what it’s like!
Limit works in conjunction with groupby and is always the last function in a query. It will accept a whole number between 1 and 1000. This number represents how many groups of results will be returned. Previously you wouldn’t have this control over what groups are returned from a query. In some cases such control isn’t always necessary as the data being queried will only ever be on a small number of groups but in other cases you could be working with IP addresses or usernames and this is where limit can be most useful. When querying large sets of data it’s important to use multiple different functions together in order to get the most value out of your data. The introduction of limit is an important feature in the LEQL tool chest to allow you to achieve this. Let’s take a look at a small example below.
First we can do a simple groupby query on some data we know has a large result set. As mentioned above a common case would be IP Addresses.
Here we see a graph with varying results, and each bar in the chart representing one group – in this case the default number of 40.
Now we can introduce limit to our query, and extend the result set significantly. We will also chain a sort() function to the query to help identify the top/lowest groups.
Such a query would like this in advanced mode:
Groupby(ip_address) sort(desc) limit(1000)
With the addition of a couple functions we are now able to see our data in a completely different way. This is the value of using multiple functions in one query.
Another feature addition that arrives with Limit is the navigator you see in the graphs above. This will appear for any of your groupby queries and it further enhances the users ability to get the most from their data. For example the same result set from above can be reduced to view only the top groups in the result by decreasing the size of the navigator.
Likewise you could also resize the navigator in the opposite direction to only graph the lowest groups from the result set. The combination of specifying a larger result set and being able to quickly move between different sections of the result set without re-running a query and changing parameters will save you time and effort, and hopefully provide you with a better insight into the data.
