Heroic uses a JSON-based language to define queries. This can also be expressed using an experimental DSL called HQL (Heroic Query Language).
Queries have the following structure.
<aggregation>
[from <source>]
[where <filter>]
[as <key>=<value>[,<key>=<value>]]
[with <key>=<value>[,<key>=<value>]];
References have the following structures.
let $<name> = <query>;
Complex Queries are queries referencing other queries through a reference. The following is an example of this
let $a = average by host | sum by site;
$a / shift($a, -7d) - 1.0
where what = cpu-usage and role = heroic;
The following is a complete example of a HQL-based query:
average by host | sum by site
from points(1d)
where role=heroic and what=cpu-idle
with size=5m
JSON is typically used when a query is built programatically because the structure is unambigious in terms of precedence and escaping. There is also a ton of language support for it, and it meshes well with restful APIs.
The HQL was developed to make it easier for humans to express queries or filters in a manner which is more convenient.
The language is infix, and simple strings do not have to be escaped (e.g. host
vs. "host"
)
A primary Goal of the HQL is that it should act as a complement to the JSON queries. Any query can be expressed either in JSON or HQL.
The following is an example filter expressed both in a JSON, and in the HQL.
$key = "hello kitty" and host = foo.example.com
["and", ["$key", "hello kitty"], ["=", "host", "foo.example.com"]]
To test this principle you can fire up the Heroic Shell and run the following commands:
$ tools/heroic-shell
heroic> parse-query --no-indent "average by host | sum by site"
{"aggregation":{"type":"chain","chain":[{"type":"group","of":["host"],"each":{"type":"sum"}},{"type":"average"}]}}
Main Article: Aggregations
Aggregations are expressed as function calls, or typed documents. Aggregations can be done on both tags and resource identifiers. See the following example using the sum aggregation.
|
|
A filter reduces the number of selected time series, if no filter (or the true filter) is used, then it is implied that all time series in the database is selected.
Description | Parsed | JSON | |
---|---|---|---|
And | Matches if all child statements match.true if empty. |
|
|
Or | Matches if any child statements match.false if empty. |
|
|
Not | Matches if child statement does not match. |
|
|
Override Grouping | Override grouping. |
|
|
Description | Parsed | JSON | |
---|---|---|---|
Tag Matches | Tag foo equals to bar. |
|
|
Tag Does Not Match | Tag foo does not equal to bar. |
|
|
Tag In | Tag foo equals to either bar or baz. |
|
|
Tag Not In | Tag foo does not equal to either bar or baz. |
|
|
Tag Exists | Tag foo exists. |
|
|
Tag Does Not Exists | Tag foo does not exist. |
|
|
Tag Prefixed With | Tag foo is prefixed with bar. |
|
|
Tag Not Prefixed With | Tag foo is not prefixed with bar. |
|
|
True | True. |
|
|
False | False. |
|
|
RegEx On Tag | Regular expressions on tags. |
|
|
Custom Filters | Details in the next section. |
|
|
When you need to select series using a more complex syntax than that available through the basic tag suggestions, you can create custom filters. These can take advantage of the HQL format of the above filters.
Suppose you want to look at unsuccessful incoming requests. How do we select the unsuccessful ones from all the other incoming requests? One way is to create a custom filter like this:
result in ["fail", "drop"]
Suppose you want to exclude a single host from your query. The way to accomplish this is to use a custom filter like this:
host != "myhost.example.net"
If you want to exclude more than one host, you could use a not in expression to exclude multiple values for the same tag, like this:
host not in ["myhost1.example.net", "myhost2.example.net"]
Simple String | String made up of a limited set of characters for convenience. It must not match a parsed keyword. |
|
---|---|---|
Quoted String | String which is quoted to support any set of characters. Supports the same escape sequences as Java. |
|
Addition |
|
Valid operands are:
<string> + <string> ,
and <number> + <number> .
|
---|---|---|
Subtraction |
|
Valid operands are:
<number> - <number> .
|
$key |
Can be used in most places a tag is expected. It indicates that the given expression should match the special field key instead of a tag. |
$now |
Expands to the current (server-side) timestamp in milliseconds. |
Durations are represented as a numeric component with a suffix, like 3H
Valid suffixes are:
Durations support arithmetic expressions with each other and numbers.
The following is a valid expression:
$now - (1d + 1H)