victorialogs-datasource icon indicating copy to clipboard operation
victorialogs-datasource copied to clipboard

Published 20 hours ago verified publisher icon VictoriaMetrics

queries with variables require wrapping in parenthess

Open tiny-pangolin opened this issue 10 months ago • 3 comments

I have a dashboard that uses the query (tags.host:$host) AND name:="freeipa_healthcheck" , but if I do not have parentheses around tags.host:$host then the query will return undesired logs because it generates the query tags.host:historia.local.shiftsystems.net OR krista.local.shiftsystems.net AND name:="freeipa_healthcheck" instead of the query (tags.host:historia.local.shiftsystems.net OR krista.local.shiftsystems.net) AND name:="freeipa_healthcheck". It would be nice if the generated query wrapped the part of the query with the variable automatically.

tiny-pangolin avatar Jan 05 '25 17:01 tiny-pangolin

Similar issue with selecting multiples in Grafana UI e.g selecting these two items

Image

results in query like appname: "filterlog" AND action: rdr OR pass AND interface_name: * which does not work as intended. I came across this because changing the order of selection (i.e selecting one after another and vice versa) in Grafana UI provided different results and found this when digging into why

nebula-it avatar Jan 10 '25 17:01 nebula-it

@tiny-pangolin (tags.host:$host) is probably not what you want, the tags:host label is applied only to the first value. the bracket should be after the label.

i found that host:in($host) works correctly. resolving to host:in(backup3,website), exact match

also host:($host) works. resolves to host:(backup3 OR website) word match. it also matches website-dev, website-test etc.

this is explained in the LogsQL tutorial

What if the application identifier - such as buggy_app and foobar - is stored in the app field? Correct - just add app: prefix in front of buggy_app and foobar:

_time:5m log.level:error -(app:buggy_app OR app:foobar)

The query can be simplified by moving the app: prefix outside the parentheses:

_time:5m log.level:error -app:(buggy_app OR foobar)

host:!($host) and host:-($host) do work as expected, excluding the word matched values.

host:=($host) does not work (invalid syntax), results in:

error:"got unexpected response status code: 400" errorSource:"plugin" status:500

It would be nice, if exact filter with brackets label:=(foo OR bar) would the same as (label:="foo" OR label:="bar"), respectively be an alias for multi-exact filter label:in(foo, bar)

similarly for exact prefix filter: label:=(foo OR bar)* should be expanded to (label:="foo"* OR label:="bar"*)

Update: Idea refined and feature request posted to VictoriaMetrics/VictoriaLogs Issue: https://github.com/VictoriaMetrics/VictoriaLogs/issues/205

pgassmann avatar Feb 17 '25 17:02 pgassmann

I think this issue #238 will fix the problem with wrapping in parenthess.

arturminchukov avatar Nov 07 '25 13:11 arturminchukov