Explore data with Axiom
Learn how to filter, manipulate, extend, and summarize your data.
The Query tab provides you with robust computation and processing power to get deeper insights into your data. It enables you to filter, manipulate, extend, and summarize your data.
Use the Query tab
Go to the Query tab and choose one of the following options:
You can easily switch between these two methods at any point when creating the query.
Create a query using the visual query builder
- In the top left, click Builder.
- From the list, select the dataset that you want to query.
- Optional: In the Where section, create filters to narrow down the query results.
- Optional: In the Summarize section, select a way to visualize the query results.
- Optional: In the More section, specify additional options such as sorting the results or limiting the number of displayed events.
- Select the time range.
- Click Run.
See below for more information about each of these steps.
Add filters
Use the Where section to filter the results to specific events. For example, to filter for events that originate in a specific geolocation like France.
To add a filter:
- Click + in the Where section.
- Select the field where you want to filter for values. For example,
geo.country
. - Select the logical operator of the filter. These are different for each field type. For example, you can use starts-with for string fields and >= for number fields. In this example, select
==
for an exact match. - Specify the value for which you want to filter. In this example, enter
France
.
When you run the query, the results only show events matching the criteria you specified for the filter.
Add multiple filters
You can add multiple filters and combine them with AND/OR operators. For example, to filter for events that originate in France or Germany.
To add and combine multiple filters:
- Add a filter for France as explained in Add filters.
- Add a filter for Germany as explained in Add filters.
- Click and that appears between the two filters, and then select or.
The query results display events that originate in France or Germany.
You can add groups of filters using the New Group element. Axiom supports AND/OR operators at the top level and one level deep.
Add visualizations
Axiom provides powerful visualizations that display the output of aggregate functions across your dataset. The Summarize section provides you with several ways to visualize the query results. For example, the count
visualization displays the number of events matching your query over time. Some visualizations require an argument such as a field or other parameters.
For more information about visualizations, see Visualize data.
Segment data
When visualizing data, segment data into specific groups to see more clearly how the data behaves. For example, to see how many events originate in each geolocation, select the count
visualization and group by geo.country
.
More options
In the More section, specify the following additional options:
- By default, Axiom automatically chooses the best ordering for the query results. To specify the sorting order manually, click Sort by, and then select the field according to which you want to sort the results.
- To limit the number of events the query returns, click Limit, and then specify the maximum number of returned events.
- Specify whether to display or hide open intervals.
Select time range
When you select the time range of a query, you specify the time interval where you want to look for events.
To select the time range, choose one of the following options:
- In the top left, click Time range.
- Choose one of the following options:
- Use the Quick range items to quickly select popular time ranges.
- Use the Custom start/end date fields to select specific times.
Special fields
Axiom creates the following two fields automatically for a new dataset:
_time
is the timestamp of the event. If the data you ingest doesn’t have a_time
field, Axiom assigns the time of the data ingest to the events._sysTime
is the time when you ingested the data.
In most cases, you can use _time
and _sysTime
interchangeably. The difference between them can be useful if you experience clock skews on your event-producing systems.
Create a query using APL
APL is a data processing language that supports filtering, extending, and summarizing data. For more information, see Introduction to APL.
Some APL queries are explained below. The pipe symbol |
separates the operations as they flow from left to right, and top to bottom.
APL is case-sensitive for everything: dataset names, field names, operators, functions, etc.
Use double forward slashes (//
) for comments.
APL count operator
The below query returns the number of events from the sample-http-logs
dataset.
APL limit operator
The limit
operator returns a random subset of rows from a dataset up to the specified number of rows. This query returns a thousand rows from sample-http-logs
randomly chosen by APL.
APL summarize operator
The summarize
operator produces a table that aggregates the content of the dataset. This query returns a chart of the avg(req_duration_ms)
, and a table of geo.city
and avg(req_duration_ms)
of the sample-http-logs
dataset from the time range of 2 days and time interval of 4 hours.
Query results
The results view adapts to the query. This means that it adds and removes components as necessary to give you the best experience. The toolbar is always visible and gives details on the currently running or last-run query. The other components are explained below.
Query results without visualizations
When you run a query on a dataset without specifying a visualization, Axiom displays a table with the raw query results.
View event details
To view the details for an event, click the event in the table.
To configure the event details view, select one of the following in the top right corner:
- Click Navigate up or Navigate down to display the details of the next or previous event.
- Click Fit panel to results or Fit panel to viewport height to change the height of the event details view.
Select displayed fields
To select the fields to be highlighted or displayed in the table, click Toggle fields panel, and then click the fields in the list.
Select Single column for event to highlight the selected fields below the raw data for each event. Alternatively, select Column for each field to display each selected field in a different column without showing the raw event data. In this view, you can resize the width of columns by dragging the borders.
Configure table options
To configure the table options, click , and then select one of the following:
- Select Wrap lines to keep the whole table within the viewport and avoid horizontal scrolling.
- Select Show timestamp to display the time field.
- Select Show event to display the raw event data in a single column and highlight the selected fields below the raw data for each event. Alternatively, clear Show event to display each selected field in a different column without showing the raw event data. In this view, you can resize the width of columns by dragging the borders.
- Select Hide nulls to hide empty data points.
Event timeline
Axiom can also display an event timeline about the distribution of events across the selected time range. In the event timeline, each bar represents the number of events matched within that specific time interval. Holding the pointer over a bar reveals a blue line marking the total events and shows when those events occurred in that particular time range. To display the event timeline, click , and then click Show chart.
Query results with visualizations
When you run a query with visualizations, Axiom displays all the visualizations that you add to the query. Hold the pointer over charts to get extra detail on each result set.
Below the charts, Axiom displays a table with the totals from each of the aggregate functions for the visualizations you specify.
If the query includes group-by clauses, there is a row for each group. Hold the pointer over a group row to highlight the group’s data on time series charts. Select the checkboxes on the left to display data only for the selected rows.
Configure chart options
Click to access the following options for each chart:
- In Values, specify how to treat missing or undefined values.
- In Variant, specify the chart type. Select from area, bar, or line charts.
- In Y-Axis, specify the scale of the vertical axis. Select from linear or log scales.
- In Annotations, specify the types of annotations to display in the chart.
For more information on each option, see Configure dashboard elements.
Merge charts
When you run a query that produces several visualizations, Axiom displays the charts separately. For example:
To merge the separately displayed charts into a single chart, click , and then select Merge charts.
Compare time periods
On time series charts, holding the pointer over a specific time shows the same marker on similar charts for easy comparison.
When you run a query with a time series visualization, you can use the Compare period menu to select a historical time against which to compare the results of your time range. For example, to compare the last hour’s average response time to the same time yesterday, select 1 hr
in the time range menu, and then select -1 day
from the Compare period menu. The dotted line represents results from the base date, and the totals table includes the comparative totals.
Highlight time range
In the event timeline, line charts, and heat maps, you can drag the pointer over the chart to highlight a specific time range, and then choose one of the following:
- Zoom enlarges the section of the chart you highlighted.
- Show events displays events in the selected time range in the event details view.
The time range of your query automatically updates to match what you selected.
Was this page helpful?