The Query tab provides you with robust computation and processing power to get deeper insights into your data. It enables you to filter, manipulate, extend, and summarize your data.

To query your data, go to the Query tab and choose one of the following options:

You can easily switch between these methods at any point when creating the query.

Generate query using AI

Explain what you want to infer from your data in your own words and Axiom AI generates the valid APL query for you.

  1. Go to the Query tab.
  2. Click APL, and then click in the query editor.
  3. Press Cmd/Ctrl K.
  4. Type what you want to infer from your data in your own words using natural language, and then click Generate. For example, type Show me the most common status responses in HTTP logs.
  5. Axiom’s AI generates the APL query based on your prompt and gives you the following options:
    • Click Accept to update the editor with the generated query and change the generated query before running it. Any previous input in the query editor is lost.
    • Click Accept and run to update the editor with the generated query and run it immediately. Any previous input in the query editor is lost.
    • Click Reject to go back to your previous input in the query editor and close the query generator.

Iterate over prompt history

Axiom saves the prompts you type in the query generator. To find one of your previous prompts and generate an APL query for it:

  1. Go to the Query tab.
  2. Click APL, and then click in the query editor.
  3. Press Cmd/Ctrl K.
  4. Cycle through your history using the arrow keys and to find the prompt.
  5. Click Generate.

Create query using visual query builder

  1. In the top left, click Builder.
  2. From the list, select the dataset that you want to query.
  3. Optional: In the Where section, create filters to narrow down the query results.
  4. Optional: In the Summarize section, select a way to visualize the query results.
  5. Optional: In the More section, specify additional options such as sorting the results or limiting the number of displayed events.
  6. Select the time range.
  7. Click Run.

While the query runs, the status bar gives you continuous updates about the number of rows examined, matched, and returned.

See below for more information about each of these steps.

Add filters

Use the Where section to filter the results to specific events. For example, to filter for events that originate in a specific geolocation like France.

To add a filter:

  1. Click + in the Where section.
  2. Select the field where you want to filter for values. For example, geo.country.
  3. Select the logical operator of the filter. These are different for each field type. For example, you can use starts-with for string fields and >= for number fields. In this example, select == for an exact match.
  4. Specify the value for which you want to filter. In this example, enter France.

When you run the query, the results only show events matching the criteria you specified for the filter.

Run in Playground

Add multiple filters

You can add multiple filters and combine them with AND/OR operators. For example, to filter for events that originate in France or Germany.

To add and combine multiple filters:

  1. Add a filter for France as explained in Add filters.
  2. Add a filter for Germany as explained in Add filters.
  3. Click and that appears between the two filters, and then select or.

The query results display events that originate in France or Germany.

Run in Playground

You can add groups of filters using the New Group element. Axiom supports AND/OR operators at the top level and one level deep.

Add visualizations

Axiom provides powerful visualizations that display the output of aggregate functions across your dataset. The Summarize section provides you with several ways to visualize the query results. For example, the count visualization displays the number of events matching your query over time. Some visualizations require an argument such as a field or other parameters.

Run in Playground

For more information about visualizations, see Visualize data.

Segment data

When visualizing data, segment data into specific groups to see more clearly how the data behaves. For example, to see how many events originate in each geolocation, select the count visualization and group by geo.country.

Run in Playground

More options

In the More section, specify the following additional options:

  • By default, Axiom automatically chooses the best ordering for the query results. To specify the sorting order manually, click Sort by, and then select the field according to which you want to sort the results.
  • To limit the number of events the query returns, click Limit, and then specify the maximum number of returned events.
  • Specify whether to display or hide open intervals.

Select time range

When you select the time range of a query, you specify the time interval where you want to look for events.

To select the time range, choose one of the following options:

  1. In the top left, click Time range Time range.
  2. Choose one of the following options:
    • Use the Quick range items to quickly select popular time ranges.
    • Use the Custom start/end date fields to select specific times.

Special fields

Axiom creates the following two fields automatically for a new dataset:

  • _time is the timestamp of the event. If the data you ingest doesn’t have a _time field, Axiom assigns the time of the data ingest to the events.
  • _sysTime is the time when you ingested the data.

In most cases, you can use _time and _sysTime interchangeably. The difference between them can be useful if you experience clock skews on your event-producing systems.

Create query using APL

APL is a data processing language that supports filtering, extending, and summarizing data. For more information, see Introduction to APL.

Some APL queries are explained below. The pipe symbol | separates the operations as they flow from left to right, and top to bottom.

APL is case-sensitive for everything: dataset names, field names, operators, functions, etc.

Use double forward slashes (//) for comments.

APL count operator

The below query returns the number of events from the sample-http-logs dataset.

['sample-http-logs']
| summarize count()

Run in Playground

APL limit operator

The limit operator returns a random subset of rows from a dataset up to the specified number of rows. This query returns a thousand rows from sample-http-logs randomly chosen by APL.

['sample-http-logs']
| limit 1000

Run in Playground

APL summarize operator

The summarize operator produces a table that aggregates the content of the dataset. This query returns a chart of the avg(req_duration_ms), and a table of geo.city and avg(req_duration_ms) of the sample-http-logs dataset from the time range of 2 days and time interval of 4 hours.

['sample-http-logs']
| where _time > ago(2d)
| summarize avg(req_duration_ms) by _time=bin(_time, 4h), ['geo.city']

Run in Playground

Query results

The results view adapts to the query. This means that it adds and removes components as necessary to give you the best experience. The toolbar is always visible and gives details on the currently running or last-run query. The other components are explained below.

Query results without visualizations

When you run a query on a dataset without specifying a visualization, Axiom displays a table with the raw query results.

View event details

To view the details for an event, click the event in the table.

To configure the event details view, select one of the following in the top right corner:

  • Click Navigate up icon Navigate up or Navigate down icon Navigate down to display the details of the next or previous event.
  • Click Fit panel to results icon Fit panel to results or Fit panel to viewport height icon Fit panel to viewport height to change the height of the event details view.

In the event details view, click More icon More for additional options:

  • View in context opens the event in the stream of other events in the Stream tab.
  • Copy link to event
  • Copy JSON
  • Show nulls or Hide nulls toggles whether to display fields with null values.

Select displayed fields

To select the fields to be highlighted or displayed in the table, click Toggle fields panel icon Toggle fields panel, and then click the fields in the list.

Select Single column for event icon Single column for event to highlight the selected fields below the raw data for each event. Alternatively, select Column for each field icon Column for each field to display each selected field in a different column without showing the raw event data. In this view, you can resize the width of columns by dragging the borders.

Configure table options

To configure the table options, click View options icon, and then select one of the following:

  • Select Wrap lines to keep the whole table within the viewport and avoid horizontal scrolling.
  • Select Show timestamp to display the time field.
  • Select Show event to display the raw event data in a single column and highlight the selected fields below the raw data for each event. Alternatively, clear Show event to display each selected field in a different column without showing the raw event data. In this view, you can resize the width of columns by dragging the borders.
  • Select Hide nulls to hide empty data points.

Event timeline

Axiom can also display an event timeline about the distribution of events across the selected time range. In the event timeline, each bar represents the number of events matched within that specific time interval. Holding the pointer over a bar reveals a blue line marking the total events and shows when those events occurred in that particular time range. To display the event timeline, click View options icon, and then click Show chart.

Query results with visualizations

When you run a query with visualizations, Axiom displays all the visualizations that you add to the query. Hold the pointer over charts to get extra detail on each result set.

Below the charts, Axiom displays a table with the totals from each of the aggregate functions for the visualizations you specify.

If the query includes group-by clauses, there is a row for each group. Hold the pointer over a group row to highlight the group’s data on time series charts. Select the checkboxes on the left to display data only for the selected rows.

Configure chart options

Click View options icon to access the following options for each chart:

  • In Values, specify how to treat missing or undefined values.
  • In Variant, specify the chart type. Select from area, bar, or line charts.
  • In Y-Axis, specify the scale of the vertical axis. Select from linear or log scales.
  • In Annotations, specify the types of annotations to display in the chart.

For more information on each option, see Configure dashboard elements.

Merge charts

When you run a query that produces several visualizations, Axiom displays the charts separately. For example:

['sample-http-logs']
| summarize percentiles_array(req_duration_ms, 50, 90, 95) by status, bin_auto(_time)

Run in Playground

To merge the separately displayed charts into a single chart, click View options icon, and then select Merge charts.

Compare time periods

On time series charts, holding the pointer over a specific time shows the same marker on similar charts for easy comparison.

When you run a query with a time series visualization, you can use the Compare period menu to select a historical time against which to compare the results of your time range. For example, to compare the last hour’s average response time to the same time yesterday, select 1 hr in the time range menu, and then select -1 day from the Compare period menu. The dotted line represents results from the base date, and the totals table includes the comparative totals.

Highlight time range

In the event timeline, line charts, and heat maps, you can drag the pointer over the chart to highlight a specific time range, and then choose one of the following:

  • Zoom enlarges the section of the chart you highlighted.
  • Show events displays events in the selected time range in the event details view.

The time range of your query automatically updates to match what you selected.

Search within query results

To quickly search for an expression and highlight its occurrences within the query results:

  1. In the query results view, press Cmd/Ctrl F.
  2. Type the expression that you want to search for. Axiom automatically highlights the matches and jumps to the first match.
  3. Press Enter repeatedly to go forward in the list of matches, and press Enter Shift to go backward.

Axiom’s search overrides the browser’s native search. Axiom’s search is more powerful because it highlights matching entries in all results returned by the query (while still respecting automatic limits). In contrast, the browser’s search can only highlight matching entries in the events rendered on your screen.

Save and export query

You can save and export the query and its results to use them in other contexts.

Save query

Save a query so that you and your team members can easily find it in the future. A saved query only includes the APL query itself, not the query results. You can later find saved queries in the Datasets tab.

Create new saved query

  1. Click Save in the top bar.
  2. Axiom AI generates a descriptive name based on the query. Accept it or edit it to fit your needs.
  3. Click Save.

Replace previously saved query

  1. Click Save in the top bar.
  2. Click Replace previously saved query.
  3. Select the existing saved query that you want to overwrite.
  4. Click Save.

Export query

To export a query and its results, click More More in the top bar to access the following options:

  • Add to dashboard lets you create dashboard elements based on the query and add them to a dashboard. For more information, see Create dashboard elements.
  • Create new monitor lets you create a monitor based on the query. For more information, see Monitors.
  • Copy link with relative time copies a link to the query where the time range is relative to the time when you open the link. For example, if the time range of the query is the last 30 minutes, using the link shows query results for the 30-minute time range before opening the link.
  • Copy link with absolute time copies a link to the query where the time range is fixed to the same time range that you see in the query when you create the link. This link shows query results for the same time range, irrespective of when you open the link.
  • Copy as JSON lets you copy the query results to your clipboard in JSON format.
  • Download as JSON lets you download the query results in JSON format.
  • Copy as CSV lets you copy the query results to your clipboard in CSV format.
  • Download as CSV lets you download the query results in CSV format.