The Query tab provides you with robust computation and processing power to get deeper insights into your data. It enables you to filter, manipulate, extend, and summarize your data.

Use the Query tab

Go to the Query tab and choose one of the following options:

You can easily switch between these two methods at any point when creating the query.

Create a query using the visual query builder

  1. In the top left, click Builder.
  2. From the list, select the dataset that you want to query.
  3. Optional: In the Where section, create filters to narrow down the query results.
  4. Optional: In the Summarize section, select a way to visualize the query results.
  5. Optional: In the More section, specify additional options such as sorting the results or limiting the number of displayed events.
  6. Select the time range.
  7. Click Run.

See below for more information about each of these steps.

Add filters

Use the Where section to filter the results to specific events. For example, to filter for events that originate in a specific geolocation like France.

To add a filter:

  1. Click + in the Where section.
  2. Select the field where you want to filter for values. For example, geo.country.
  3. Select the logical operator of the filter. These are different for each field type. For example, you can use starts-with for string fields and >= for number fields. In this example, select == for an exact match.
  4. Specify the value for which you want to filter. In this example, enter France.

When you run the query, the results only show events matching the criteria you specified for the filter.

Run in Playground

Add multiple filters

You can add multiple filters and combine them with AND/OR operators. For example, to filter for events that originate in France or Germany.

To add and combine multiple filters:

  1. Add a filter for France as explained in Add filters.
  2. Add a filter for Germany as explained in Add filters.
  3. Click and that appears between the two filters, and then select or.

The query results display events that originate in France or Germany.

Run in Playground

You can add groups of filters using the New Group element. Axiom supports AND/OR operators at the top level and one level deep.

Add visualizations

Axiom provides powerful visualizations that display the output of aggregate functions across your dataset. The Summarize section provides you with several ways to visualize the query results. For example, the count visualization displays the number of events matching your query over time. Some visualizations require an argument such as a field or other parameters.

Run in Playground

For more information about visualizations, see Visualize data.

Segment data

When visualizing data, segment data into specific groups to see more clearly how the data behaves. For example, to see how many events originate in each geolocation, select the count visualization and group by geo.country.

Run in Playground

More options

In the More section, specify the following additional options:

  • By default, Axiom automatically chooses the best ordering for the query results. To specify the sorting order manually, click Sort by, and then select the field according to which you want to sort the results.
  • To limit the number of events the query returns, click Limit, and then specify the maximum number of returned events.
  • Specify whether to display or hide open intervals.

Select time range

When you select the time range of a query, you specify the time interval where you want to look for events.

To select the time range, choose one of the following options:

  1. In the top left, click Time range Time range.
  2. Choose one of the following options:
    • Use the Quick range items to quickly select popular time ranges.
    • Use the Custom start/end date fields to select specific times.

Special fields

Axiom creates the following two fields automatically for a new dataset:

  • _time is the timestamp of the event. If the data you ingest doesn’t have a _time field, Axiom assigns the time of the data ingest to the events.
  • _sysTime is the time when you ingested the data.

In most cases, you can use _time and _sysTime interchangeably. The difference between them can be useful if you experience clock skews on your event-producing systems.

Create a query using APL

APL is a data processing language that supports filtering, extending, and summarizing data. For more information, see Introduction to APL.

Some APL queries are explained below. The pipe symbol | separates the operations as they flow from left to right, and top to bottom.

APL is case-sensitive for everything: dataset names, field names, operators, functions, etc.

Use double forward slashes (//) for comments.

APL count operator

The below query returns the number of events from the sample-http-logs dataset.

['sample-http-logs']
| summarize count()

Run in Playground

APL limit operator

The limit operator returns a random subset of rows from a dataset up to the specified number of rows. This query returns a thousand rows from sample-http-logs randomly chosen by APL.

['sample-http-logs']
| limit 1000

Run in Playground

APL summarize operator

The summarize operator produces a table that aggregates the content of the dataset. This query returns a chart of the avg(req_duration_ms), and a table of geo.city and avg(req_duration_ms) of the sample-http-logs dataset from the time range of 2 days and time interval of 4 hours.

['sample-http-logs']
| where _time > ago(2d)
| summarize avg(req_duration_ms) by _time=bin(_time, 4h), ['geo.city']

Run in Playground

Query results

The results view adapts to the query. This means that it adds and removes components as necessary to give you the best experience. The toolbar is always visible and gives details on the currently running or last-run query. The other components are explained below.

Query results without visualizations

When you run a query on a dataset without specifying a visualization, Axiom displays a table with the raw query results.

View event details

To view the details for an event, click the event in the table.

To configure the event details view, select one of the following in the top right corner:

  • Click Navigate up icon Navigate up or Navigate down icon Navigate down to display the details of the next or previous event.
  • Click Fit panel to results icon Fit panel to results or Fit panel to viewport height icon Fit panel to viewport height to change the height of the event details view.

Select displayed fields

To select the fields to be highlighted or displayed in the table, click Toggle fields panel icon Toggle fields panel, and then click the fields in the list.

Select Single column for event icon Single column for event to highlight the selected fields below the raw data for each event. Alternatively, select Column for each field icon Column for each field to display each selected field in a different column without showing the raw event data. In this view, you can resize the width of columns by dragging the borders.

Configure table options

To configure the table options, click View options icon, and then select one of the following:

  • Select Wrap lines to keep the whole table within the viewport and avoid horizontal scrolling.
  • Select Show timestamp to display the time field.
  • Select Show event to display the raw event data in a single column and highlight the selected fields below the raw data for each event. Alternatively, clear Show event to display each selected field in a different column without showing the raw event data. In this view, you can resize the width of columns by dragging the borders.
  • Select Hide nulls to hide empty data points.

Event timeline

Axiom can also display an event timeline about the distribution of events across the selected time range. In the event timeline, each bar represents the number of events matched within that specific time interval. Holding the pointer over a bar reveals a blue line marking the total events and shows when those events occurred in that particular time range. To display the event timeline, click View options icon, and then click Show chart.

Query results with visualizations

When you run a query with visualizations, Axiom displays all the visualizations that you add to the query. Hold the pointer over charts to get extra detail on each result set.

Below the charts, Axiom displays a table with the totals from each of the aggregate functions for the visualizations you specify.

If the query includes group-by clauses, there is a row for each group. Hold the pointer over a group row to highlight the group’s data on time series charts. Select the checkboxes on the left to display data only for the selected rows.

Configure chart options

Click View options icon to access the following options for each chart:

  • In Values, specify how to treat missing or undefined values.
  • In Variant, specify the chart type. Select from area, bar, or line charts.
  • In Y-Axis, specify the scale of the vertical axis. Select from linear or log scales.
  • In Annotations, specify the types of annotations to display in the chart.

For more information on each option, see Configure dashboard elements.

Merge charts

When you run a query that produces several visualizations, Axiom displays the charts separately. For example:

['sample-http-logs']
| summarize percentiles_array(req_duration_ms, 50, 90, 95) by status, bin_auto(_time)

Run in Playground

To merge the separately displayed charts into a single chart, click View options icon, and then select Merge charts.

Compare time periods

On time series charts, holding the pointer over a specific time shows the same marker on similar charts for easy comparison.

When you run a query with a time series visualization, you can use the Compare period menu to select a historical time against which to compare the results of your time range. For example, to compare the last hour’s average response time to the same time yesterday, select 1 hr in the time range menu, and then select -1 day from the Compare period menu. The dotted line represents results from the base date, and the totals table includes the comparative totals.

Highlight time range

In the event timeline, line charts, and heat maps, you can drag the pointer over the chart to highlight a specific time range, and then choose one of the following:

  • Zoom enlarges the section of the chart you highlighted.
  • Show events displays events in the selected time range in the event details view.

The time range of your query automatically updates to match what you selected.