OQL Examples

Practical, copy-pasteable queries grouped by use case. Swap in your own hostnames, namespaces, services, and metric names. For the clauses used here, see Syntax; for the columns, see Tables.

Hosts

-- Top 25 hosts by CPU, as time series
SELECT avg(cpu_user_pct) FROM host
BY host EVERY 1m LAST 1h TOP 25

-- Memory usage trend across the fleet
SELECT avg(mem_used_pct) FROM host
EVERY 5m LAST 24h

-- Current average CPU (single number)
SELECT avg(cpu_user_pct) FROM host LAST 5m

-- CPU + memory per host, side by side (ranked table)
SELECT host, avg(cpu_user_pct) AS cpu, avg(mem_used_pct) AS mem
FROM host BY host LAST 1h

-- Per-core CPU for one host (one line per core)
SELECT avg(user_pct) FROM host_cpu_core
WHERE host = 'web-1' BY core EVERY 1m LAST 1h

-- Disk space by mountpoint (bar chart)
SELECT avg(used_pct) FROM filesystem
BY mountpoint LAST 5m

-- Network traffic by interface (counters → sum per bucket)
SELECT sum(rx_bytes), sum(tx_bytes) FROM network
BY interface EVERY 5m LAST 6h TOP 10

-- Hottest processes by memory on one host
SELECT name, avg(mem_rss_bytes) AS rss FROM process
WHERE host = 'web-1' BY name LAST 15m TOP 20

Kubernetes

-- Pod CPU by namespace, as time series
SELECT sum(cpu_usage_cores) FROM k8s_pod
BY namespace EVERY 5m LAST 6h TOP 10

-- Not-ready nodes right now
SELECT node, ready, cpu_usage_pct, mem_usage_pct FROM k8s_node
WHERE ready = 0 LAST 5m

-- Workloads with missing replicas
SELECT namespace, workload_name, replicas_desired, replicas_ready
FROM k8s_workload
WHERE replicas_ready < replicas_desired LAST 5m

-- Container restarts by pod
SELECT pod, max(restarts) AS restarts FROM k8s_container
WHERE namespace = 'prod' BY pod LAST 1h TOP 20

-- Recent Warning events
SELECT timestamp, kind, name, reason, message FROM k8s_event
WHERE type = 'Warning' LAST 1h LIMIT 50

-- Evictions over time by namespace
SELECT count(*) FROM k8s_event
WHERE reason = 'Evicted' BY namespace EVERY 1h LAST 24h

Logs

-- Log volume by level (bar chart)
SELECT count(*) FROM logs BY level LAST 24h

-- Error rate over time
SELECT count(*) FROM logs
WHERE level = 'ERROR' EVERY 5m LAST 6h

-- Recent errors from nginx containers, full-text matched
SELECT timestamp, pod, message FROM logs
WHERE container LIKE 'nginx-%' AND message CONTAINS 'error'
LAST 1h LIMIT 100

-- Which pods are throwing the most errors
SELECT count(*) FROM logs
WHERE level = 'ERROR' BY pod LAST 1h TOP 20

-- Find a specific request across all logs (map attribute)
SELECT timestamp, service, message FROM logs
WHERE attributes.request_id = 'abc123' LAST 6h LIMIT 100

-- Errors for one service grouped by trace
SELECT count(*) FROM logs
WHERE service = 'checkout' AND level = 'ERROR'
BY trace_id LAST 1h TOP 25

Traces / spans

-- Latency percentiles for a service, over time
SELECT p50(duration_ns), p95(duration_ns), p99(duration_ns)
FROM spans
WHERE service = 'checkout' EVERY 1m LAST 1h

-- Error spans by service (ranked)
SELECT count(*) FROM spans
WHERE status_code = 'ERROR' BY service LAST 1h TOP 20

-- Request volume by HTTP status code (map attribute facet)
SELECT count(*) FROM spans
BY attributes.http.status_code LAST 1h

-- Slowest operations within a service
SELECT operation, p99(duration_ns) AS p99 FROM spans
WHERE service = 'checkout' BY operation LAST 1h TOP 10

-- Only POST requests, only in prod (two map attributes)
SELECT count(*) FROM spans
WHERE attributes.http.method = 'POST'
  AND resource_attributes.deployment.environment = 'prod'
EVERY 5m LAST 6h

Custom application metrics

-- Average request duration by endpoint
SELECT avg(value) FROM custom.http_request_duration
BY path EVERY 1m LAST 30m TOP 10

-- Filter by a label, facet by another (both via labels map / shorthand)
SELECT avg(value) FROM custom.http_request_duration
WHERE method = 'GET' BY path EVERY 1m LAST 30m

-- P99 of a custom latency metric
SELECT p99(value) FROM custom.http_request_duration
EVERY 1m LAST 1h

-- Sum an error counter by service
SELECT sum(value) FROM custom.http_errors_total
BY service_name LAST 1h

External metrics (databases, caches, queues)

-- PostgreSQL backends and commits for one database
SELECT postgresql.backends, postgresql.commits
FROM database
WHERE engine = 'postgresql' AND db_name = 'orders'
EVERY 1m LAST 1h

-- Peak connections (explicit aggregate overrides the default reduction)
SELECT max(postgresql.backends)
FROM database WHERE engine = 'postgresql'
EVERY 1m LAST 6h

-- Lock count for one lock mode (dimension via the attrs map)
SELECT max(postgresql.locks)
FROM database
WHERE engine = 'postgresql' AND attrs.mode = 'ExclusiveLock'
EVERY 1m LAST 1h

-- Redis commands per minute
SELECT redis.commands FROM cache
WHERE engine = 'redis' EVERY 1m LAST 1h

-- Scope external metrics to a single instance
SELECT postgresql.commits FROM database
WHERE engine = 'postgresql' AND instance = 'pg-primary'
EVERY 1m LAST 1h

Where to go next

• Run any of these in the Query Explorer and pin the result to a dashboard.
• Automate them through the Query API.
• Back to the OQL overview.