Querying logs using count.distinct

SigNoz / signoz

SigNoz is an open-source observability platform native to OpenTelemetry with logs, traces and metrics in a single application. An open-source alternative to DataDog, NewRelic, etc. 🔥 🖥. 👉 Open source Application Performance Monitoring (APM) & Observability tool

https://signoz.io

Other

19.15k stars 1.26k forks source link

Querying logs using count.distinct #5873

Open KieranP opened 2 months ago

KieranP commented 2 months ago

Bug description

Logs explorer - Attempting to return distinct count of users from logs

Have tried this:

Screenshot 2024-09-06 at 4 08 56 PM

and this:

Screenshot 2024-09-06 at 4 09 22 PM

without success.

body.usr.id is not a misspelling, the structure of the log body is:

{
  "usr": {
    "id": "09f1d3ced0277162b66901ea"
  }
}

Filtering works fine, using this as the filter returns all results with a body.usr.id value.

body.usr.id EXISTS

Am I going about this the wrong way? If I have 100 logs, what is the right way to get a count of distinct user ids?

Expected behavior

For comparison, the same logs are being processed by Datadog. This is the query I use in Datadog which returns the correct data using the same logs:

Version information

Signoz version: 0.53.0
Browser version: Brave latest
Your OS and version: Mac OS latest
Your CPU Architecture(ARM/Intel): ARM

Additional context

Thank you for your bug report – we love squashing them!

welcome[bot] commented 2 months ago

Thanks for opening this issue. A team member should give feedback soon. In the meantime, feel free to check out the contributing guidelines.

nityanandagohain commented 2 months ago

Hi, If your body is a JSON then filtering works on the nested JSON body, but for group by please extract it using pipelines and then create an attribute. You will be able to group by after that.

https://signoz.io/docs/logs-pipelines/guides/json/

KieranP commented 2 months ago

Hmm, ok, I'll give that a go when I'm back at work next week. Admittedly, it is a bit difficult to understand when to use serviceName vs service_name vs service.name, and then throw into the mix whether any of those actually work in the filter field, group field, etc across Trace views, Log views and processing, dashboards, etc. As I've been setting up Signoz, I've had to try dozens of permutations to get things right. Might pay to publish a guide of what to use and when.

nityanandagohain commented 1 month ago

Hi, @KieranP , it's very unlikely that you will see serviceName/service_name/service.name , unless this attribute is not standardised across applications that are sending those logs. Did you check if some your services is sending serviceName while other are sending service_name ?

KieranP commented 1 month ago

@nityanandagohain Sorry, I meant that some parts of the app seem to require the "level1.level2" type syntax when querying, others require "level1_level2", and still others "level1Level2". It's not always clear which should be used and where.

This docs page shows all three usages, but they don't seem to be interchangable: https://signoz.io/docs/userguide/query-builder/ (service.name in filter, service_name in spacial aggregation, serviceName in group by/legend format). For simplicity, it'd be great to change everything to use the service.name syntax.

nityanandagohain commented 1 month ago

Thanks for pointing it out @KieranP .

@Calm-Rock , please add the above to docs enhancements.