Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support combined metric queries for correlation rules with LogQL #197

Open
kelnage opened this issue Jan 20, 2025 · 0 comments
Open

Support combined metric queries for correlation rules with LogQL #197

kelnage opened this issue Jan 20, 2025 · 0 comments
Assignees
@kelnage
Labels
backend Related to changes to the query backend

Comments

@kelnage
Copy link
Collaborator

kelnage commented Jan 20, 2025

When correlating multiple queries, we can do so using Loki and LogQL by generating one metric query per log query, and combining them with OR (for event_count and value_count correlation rules) or AND (for temporal correlation rules). E.g., the following log queries:

{job=`.+`} | logfmt | fieldA=`valueA`
{job=`.+`} | json | fieldB=`valueB`

can be converted into an event_count correlation query with greater than or equal to 2 events with the following LogQL:

(sum(count_over_time({job=`jobA`} | logfmt | fieldA=`valueA`[$__auto])) 
    or sum(count_over_time({job=`jobB`} | json | fieldB=`valueB`[$__auto]))) >= 2
@kelnage kelnage added the backend Related to changes to the query backend label Jan 20, 2025
@kelnage kelnage self-assigned this Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kelnage kelnage

Labels
backend Related to changes to the query backend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kelnage