OQL Tables
FROM names exactly one table. This page lists the queryable tables and the key
columns of each — enough to write real queries. The lists are representative, not
exhaustive; for the complete, always-current set of columns, use the schema browser in
the Query Explorer, which autocompletes every table and
column (including the external-metric virtual columns).
Every table has a timestamp column and is filtered by your time window automatically —
you never write timestamp in WHERE yourself; use LAST / BETWEEN instead.
Map columns and the dot accessor
Several tables carry schemaless key→value maps that hold attributes too varied to be typed columns:
| Map column | Where it appears | Holds |
|---|---|---|
attributes |
spans, logs |
Per-event OTel attributes (http.method, request_id, …) |
resource_attributes |
spans, logs |
Emitter attributes (service.*, host.name, k8s.*, …) |
labels |
custom |
All metric labels |
attrs |
database / cache / mq |
Residual metric dimensions (mode, state, …) |
Read one key out of a map with the dot accessor — the map column name, then the key (which may itself contain dots):
SELECT count(*) FROM spans WHERE attributes.http.method = 'POST' LAST 1h
SELECT count(*) FROM logs BY resource_attributes.service.name LAST 1h
See Syntax → Map attributes for the full rules.
Host metrics
System metrics collected by the Hexcovery agent, one signal type per table.
host — system CPU, memory, load
| Column | Notes |
|---|---|
host |
Hostname |
host_id |
Stable UUID for the host |
cpu_user_pct, cpu_system_pct, cpu_idle_pct, cpu_iowait_pct |
CPU breakdown (gauge %) |
cpu_count |
Logical CPU count |
mem_used_pct, mem_used_bytes, mem_available_bytes, mem_total_bytes |
Memory |
swap_used_pct |
Swap |
load_1, load_5, load_15 |
Load averages |
procs_running, procs_blocked, procs_total |
Process counts |
host_cpu_core — per-core CPU
One row per (host, core) — the per-core breakdown of host.
| Column | Notes |
|---|---|
host, host_id |
Host identity |
core |
0-based core index |
user_pct |
Per-core CPU user-mode % |
disk — per-device I/O
One row per (host, device). The byte/op columns are counters.
| Column | Notes |
|---|---|
host, device |
Identity (sda, nvme0n1) |
read_bytes, write_bytes |
Bytes (counter) |
reads_completed, writes_completed |
Operations (counter) |
io_in_progress |
In-flight I/O (gauge) |
filesystem — per-mountpoint space
One row per (host, mountpoint).
| Column | Notes |
|---|---|
host, mountpoint, device, fstype |
Identity |
used_pct, used_bytes, free_bytes, total_bytes |
Space |
inodes_used_pct |
Inode usage |
network — per-interface traffic
One row per (host, interface). All byte/packet columns are counters.
| Column | Notes |
|---|---|
host, interface |
Identity (eth0) |
rx_bytes, tx_bytes |
Bytes in/out (counter) |
rx_packets, tx_packets, rx_errors, tx_errors, rx_dropped, tx_dropped |
Counters |
process — per-process resources
One row per process.
| Column | Notes |
|---|---|
host, name, pid, user |
Identity |
cpu_total_pct, cpu_user_pct, cpu_system_pct |
CPU |
mem_rss_bytes, mem_rss_pct |
Memory |
state, container_id, cgroup |
State / container correlation |
Kubernetes
One table per Kubernetes object kind. All share cluster and (where relevant)
namespace, pod, node.
k8s_node
node, cpu_usage_pct, mem_usage_pct, cpu_usage_cores, mem_usage_bytes,
pods_running, ready, memory_pressure, disk_pressure.
k8s_namespace
namespace, pods_running, pods_pending, pods_failed, cpu_usage_cores,
mem_usage_bytes, cpu_requests_pct, restarts_total.
k8s_pod
namespace, pod, node, phase, workload_type, workload_name,
cpu_usage_cores, mem_usage_bytes, restarts, qos_class.
k8s_container
namespace, pod, container, image, state, ready, restarts,
cpu_usage_cores, mem_usage_bytes, last_terminated_reason.
k8s_workload
namespace, workload_type, workload_name, replicas_desired, replicas_ready,
replicas_available, replicas_unavailable.
k8s_job
namespace, job_name, owner_kind, owner_name, condition, active,
succeeded, failed, duration_seconds.
k8s_hpa
namespace, hpa_name, target_name, min_replicas, max_replicas,
current_replicas, desired_replicas, cpu_current_pct.
k8s_pvc
namespace, pvc_name, storage_class, capacity_bytes, used_bytes,
available_bytes, phase.
k8s_event
namespace, kind, name, type (Normal/Warning), reason, message, count.
SELECT timestamp, kind, name, reason, message FROM k8s_event
WHERE type = 'Warning' LAST 1h LIMIT 50
logs
Application and system log lines, with a token bloom-filter index on message for fast
CONTAINS search.
| Column | Notes |
|---|---|
level |
TRACE/DEBUG/INFO/WARN/ERROR/FATAL |
message |
The log text — searchable with CONTAINS |
source |
file / journald / container / k8s_event |
host, cluster, namespace, pod, container |
Origin |
service, service_namespace |
Service identity (the UI's "Project") |
trace_id, span_id |
Trace correlation (empty when no trace context) |
file_path, unit |
Source-specific (file path, systemd unit) |
attributes |
Per-event fields (map) — WHERE attributes.request_id = '…' |
resource_attributes |
Emitter fields (map) |
spans
OpenTelemetry trace spans from application SDKs.
| Column | Notes |
|---|---|
trace_id, span_id, parent_span_id |
Span/trace identity |
service, service_namespace |
Emitting service / Project |
operation |
Span name |
duration_ns |
Duration in nanoseconds — aggregate with percentiles |
status_code |
OK / ERROR / UNSET |
kind |
client/server/internal/producer/consumer |
host |
From the SDK's host.name resource attribute |
attributes |
Span attributes (map) — WHERE attributes.http.method = 'POST' |
resource_attributes |
Resource attributes (map) |
custom — custom application metrics
A flexible name/value/labels table for Prometheus scrapes and custom OTLP metrics. Query
it via the custom.<metric> shorthand (see
Syntax → custom.<metric>).
| Column | Notes |
|---|---|
name |
Metric name (set by custom.<metric>) |
value |
The numeric value to aggregate |
host, namespace, job |
Promoted labels (real columns) |
labels |
Every label (map) — bare WHERE foo = ... reads labels['foo'] here |
SELECT avg(value) FROM custom.http_request_duration
WHERE method = 'GET' BY path EVERY 1m LAST 30m TOP 10
External-metric tables (database / cache / mq)
These three virtual tables expose metrics collected from infrastructure via
OpenTelemetry receivers — PostgreSQL/MySQL (database), Redis (cache), Kafka/RabbitMQ
(mq). They are the metrics lens over your External Services (see
Services, External Services, and Projects).
Their columns are the native metric names of the receiver, written with a dot —
postgresql.commits, postgresql.backends, redis.commands, kafka.…:
SELECT postgresql.backends, postgresql.commits
FROM database
WHERE engine = 'postgresql' AND db_name = 'orders'
EVERY 1m LAST 1h
How a metric column reduces over a bucket:
- A bare metric column uses the instrument's natural reduction:
avgfor gauges, the window increase (max − min) for monotonic counters. - An explicit aggregate overrides it —
max(postgresql.backends)gives the peak. (There's norate(); derive per-second rates from the increase.)
Scoping columns — filter these directly:
| Column | Tables | Meaning |
|---|---|---|
engine |
all | postgresql, redis, kafka, … |
instance |
all | The normalized instance identity |
service_namespace |
all | Owning Project (once the entity has graduated) |
db_name |
database |
Database name |
Dimensions beyond those live in the attrs map and use the dot accessor:
SELECT max(postgresql.locks)
FROM database WHERE engine = 'postgresql' AND attrs.mode = 'ExclusiveLock'
EVERY 1m LAST 1h
SELECT * on these tables returns the raw long-format rows (no pivot).
What's available depends on what you collect
The exact metric columns come from each receiver's catalog and only appear once that receiver is shipping data. The Explorer's schema browser shows the live set for your Organization.