Introducing Logentries NEW Query Language: LEQL

[This article was written by Matt Kiernan]

We are excited to announce that Logentries’ new SQL-like query language, LEQL, is now available for more advanced analytics and easy extraction of valuable insights from your log data.

A SQL-Like Query Language

If you’ve ever used SQL, LEQL should feel familiar. In fact, Logentries already supports a number of SQL-like search functions, including:

• SUM: Sums a set of values
• COUNT: Counts the number of times a value occurs
• GROUPBY: Groups values by a unique key
• UNIQUE: Enables the count of only unique values

With the rollout of LEQL, we’ll be introducing four new query functions:

• MIN: Calculate the minimum value of a specified key
• MAX: Calculate the maximum value of a specified key
• SORT: Display results sorted either ascending or descending
• TIMESLICE: Specifies how to group by time (e.g. by specific number of minutes, hours or days)

A Consistent Yet Expressive Syntax

We believe a reliable query language depends on a consistently enforced syntax. For this reason, we’ll be enforcing how queries are structured. Here’s an example of how an old query would change with LEQL:

Old

pages>0 | GroupBY(dbName) | SUM(pages)

New

where(pages>0)  groupby (dbName) calculate(SUM:pages)

*In this example, pages & dbName are Key names in log events

Notice how the search logic gets wrapped in a where() clause, used for refining your search to return only results that match your search criteria (i.e. where events include the text or Key “pages”.)

groupBy() is an optional clause that enables you to organize your search results into groups by specifying a Key from a Key-Value Pair (i.e. key: value).

Calculations made within your query get utilized in the calculate()clause. When building your query, you no longer need to separate sections with pipes “|”.

Though we believe in the value of a consistent query syntax, we also believe in the importance of giving users an expressive language that is easy to use and delivers expected results. We’re taking the following steps to make LEQL easy to use:

• Outdated saved queries will automatically be converted into LEQL – no effort required
• where clauses will automatically be added to any new query you write
• LEQL terms will not be case sensitive
• An updated search bar will provide a query builder and validator
• An updated search bar & query builder

An Updated Search Bar & Query Builder

As we rollout LEQL, we’ll be introducing a new search bar, allowing users to switch between a simple & advanced modes based on their preference.

Simple mode

“Simple mode” provides an easy way to build queries by providing a list of the available functions. Type-Assist will show a list of keys to associate with each functions, or new keys can be typed manually.

Advanced mode

“Advanced mode” will allow users to type their queries manually. Type-Assist will autocomplete key names while the new search bar will automatically validate query syntax.

July 1st Rollout

The LEQL rollout will take place in phases, beginning July 1st and will continue over the next few weeks to update all plans. If you’d like early beta access to LEQL, or have any questions, feel free to reach us at [email protected].