OBSERVABILITY PLATFORM
Investigate
Querying

Overview of querying

When you create dashboards, monitors, or use the Metrics Explorer, you use a query to select and filter the metrics in which you're interested, and then apply functions to them.

Chronosphere supports these languages for querying metrics data:

  • Prometheus Query Language (PromQL) - Used with Prometheus-compatible metrics. Default.
  • Graphite - Used with StatsD metrics data. Enabled on request.

Contact Chronosphere Support to set up the data sources you want to use.

To toggle the query language in use, use the method based on what you're working on:

  • Dashboards: Use the language toggle in the Query panel of a dashboard.
  • Monitors: Use the language toggle by the Query box.
  • Metrics Explorer: Use the language toggle to the right of the Explore page title.

Although Chronosphere supports both PromQL and Graphite, this document provides information only about the use of PromQL. For more details about Graphite, see the Graphite documentation (opens in a new tab).

PromQL overview

PromQL lets you select and aggregate time series data in real time.

This documentation covers an introduction to PromQL and the features and syntax most relevant to Chronosphere. For full details about PromQL, read the Prometheus documentation (opens in a new tab).

Chronosphere is 100% compatible with PromQL (opens in a new tab). If you need labels to differentiate between clusters, namespaces, and other items, the PromQL queries in existing dashboards, alerts, and recording rules need to reflect this.

Basic querying

All PromQL expressions start with a selector, which is typically the name of the metric followed by a set of labels, values, and operators. A query returns one or more time series that match the criteria. PromQL refers to these as instant vectors, as they represent a set of time series where every single data point maps to a timestamp at that instant.

|<------------name------------->|<---labels--->|

rate(node_network_receive_bytes_total{device=~"eth1"} [5m]) * 8

|<-------------------selector------------------>|   |<->|
|<-----------------------function------------------------>|  ^ operator

For example, an app updates a metric to keep a total of the bytes received by a particular node. The app names the metric node_network_receive_bytes_total.

The following query returns all time series that match the metric name:

node_network_receive_bytes_total{}

To return only time series with a specific label and value, include them in curly brackets ({}) after the metric name.

The following query returns all time series that match the metric name with a value for the device equal to eth1:

node_network_receive_bytes_total{device="eth1"}

PromQL supports dozens of arithmetic, comparison, logical, and aggregation operators. You can find a full list in the Prometheus documentation (opens in a new tab).

You can combine multiple labels and values with commas.

The following query returns all time series that match the metric name with a value for the device label equal to eth1 and a value for the instance label equal to production:

node_network_receive_bytes_total{device="eth1", instance="production"}

PromQL supports regular expression matching and negation in label queries:

  • = : Select labels equal to the provided string.
  • != : Select labels not equal to the provided string.
  • =~ : Select labels that match the provided string based on a regular expression.
  • !~ : Select labels that don't match the provided string based on a regular expression.

The following query returns all time series that match the metric name with a value that begins with eth followed by any other character for the device label:

node_network_receive_bytes_total{device=~"eth.+"}

Filter values to a range

Typically you need to filter results to a narrower range based on a time range or time range offset. PromQL refers to these as range vectors, as they represent a set of time series where every timestamp maps to a range of data points from some point in the past determined by the query.

The following query returns all time series with an offset of an hour ago that match the metric name with a value for the device label that matches the value eth0:

node_network_receive_bytes_total{device="eth0"} offset 1h

Find more details about the offset modifier in the PromQL documentation (opens in a new tab).

Generally you use PromQL to return a range vector to then use with a function to perform calculations on the resulting range of time series.

The following query returns all time series from the last ten minutes that match the metric name with a value for the device label that matches the value eth0:

node_network_receive_bytes_total{device="eth0"}[10m]

Applying functions

PromQL functions (opens in a new tab) let you perform calculations with and on your metrics data, allowing you to perform complex processing with pre-built operations.

Each function takes different arguments, but typically at minimum, an instant or range vector. You can use standard arithmetic and binary comparison operators inside and outside the function such as addition, subtraction, greater than, or less than. Using operators is one of the main methods to perform calculations on a combination of different time series. However if you apply the operator to more than one instant vectors, it only applies to matching series.

You can find more information about matching series and vectors in the PromQL documentation (opens in a new tab).

PromQL has dozens of functions, but a popular one is rate() that calculates the per-second average rate of increase of the multiple time series in a range vector.

The following query calculates the per-second average rate of increase over the last 10 minutes to the matching metric name with a value for the device label equal to eth0:

rate(node_network_receive_bytes_total{device="eth0"}[10m])

Aggregating time series

Use PromQL aggregation functions to reduce the elements in a vector returned by a query.

For example, a popular aggregation function is sum() that totals the values of resulting time series from a query and returns one element.

The following query returns the total values of all time series with an offset of five minutes ago that match the metric name with a value for the device label that matches the value eth0:

sum(node_network_receive_bytes_total{device="eth0"} offset 5m)

Another aggregation function is avg() that averages the values of resulting time series from a query and returns one element.

You can group time series by labels, returning an element for each unique value of the label using the by or without clause in a query.

  • by: Groups time series by the labels you specify.
  • without: Groups or every other labels that has differing values.

The following query returns the average values of all time series that match the metric name with a value for the device label equal to eth0 grouped by unique values for the k8s_cluster label:

avg(node_network_receive_bytes_total{device="eth0"}) by (k8s_cluster)

The interval you define in functions such as rate() and increase() must be greater than or equal to the scrape interval of the metrics which you apply the function to. The recommendation is to use at least twice the scrape interval.

Querying histograms

The Observability Platform histogram metric type persists a histogram as one data point and one time series. Query methods depend on the type of histogram you're querying.

Querying histogram metric types

A histogram of the histogram metric type is a single structured value that contains all of the information about the histogram. The Observability Platform histogram metric type supports Prometheus native histograms and OpenTelemetry exponential histograms.

To query histograms in Observability Platform, use PromQL histogram functions (opens in a new tab).

The following querying examples use a histogram metric named http_request_duration_seconds.

Rate of HTTP requests

Use the histogram_count() function to calculate the rate of HTTP requests:

histogram_count(sum(rate(http_request_duration_seconds{}[5m])))
Average HTTP request duration

Use the histogram_avg() function to query the average HTTP request duration:

histogram_avg(sum(rate(http_request_duration_seconds[5m])))
90th percentile HTTP request duration

Use the histogram_quantile() function to query the 90th percentile HTTP request duration by HTTP method and request path:

histogram_quantile(0.9, sum(rate(http_request_duration_seconds[5m])))
Percentage of HTTP requests under given latency

Service level objectives are commonly defined in tolerances by percentile, such as delivering 90% of requests in less than 200 ms and 99% of requests in less than 500 ms. Use the histogram_fraction() function to calculate the percentage of requests with responses in 200 ms or less:

histogram_fraction(0, 0.2, sum(rate(http_request_duration_seconds[5m])))

Querying legacy Prometheus histograms

If you're querying a histogram with a metric name ending in _bucket, you're querying a legacy Prometheus histogram.

A legacy Prometheus histogram is composed of individual counter time series and stored as separate time series. For example, if your histogram aggregates HTTP request observations and is named http_request_duration_seconds, the resulting time series is:

  • http_request_duration_seconds_bucket with a time series for each unique bucket. The time series has a label named le whose value represents the bucket's upper boundary.
  • http_request_duration_seconds_sum, the sum of all observed values.
  • http_request_duration_seconds_count, the total count of all observed values.

The scrape endpoint exposes:

http_request_duration_seconds_bucket{le="0.1"} 2764
http_request_duration_seconds_bucket{le="0.25"} 3653
http_request_duration_seconds_bucket{le="0.5"} 8735
http_request_duration_seconds_bucket{le="0.75"} 12763
http_request_duration_seconds_bucket{le="1"} 13172
http_request_duration_seconds_bucket{le="+Inf"} 13865
http_request_duration_seconds_sum 7732
http_request_duration_seconds_count 13865

Using http_request_duration_seconds as an example, you can write the following PromQL queries:

Rate of HTTP requests (legacy)

Use the rate() function and the _count time series to calculate the rate of HTTP requests:

sum(rate(http_request_duration_seconds_count[5m]))
Average HTTP request duration (legacy)

Query the average HTTP request duration by diving the sum of observations by the count of observations:

sum(rate(http_request_duration_seconds_sum[5m])) / sum(rate(http_request_duration_seconds_count[5m]))
90th percentile HTTP request duration (legacy)

Use the histogram_quantile() function to get the 90th percentile HTTP request duration by HTTP method and request path:

histogram_quantile(0.9, sum by(le)(rate(http_request_duration_seconds_bucket[5m])))

Custom functions

In addition to the standard PromQL functions, Chronosphere supports the following custom functions:

head_{agg}

head_{agg}(q, n) sorts the time series by the largest value based on the specified aggregation function and returns the top n number of series.

The list of available aggregation functions are:

  • avg
  • min
  • max
  • sum
  • count

For example, head_avg(MY_METRIC{}, 10) returns the top 10 time series sorted by the largest average of their values.

In most cases, head_{agg}() is appropriate. However, if you have time series with a high churn rate, such as metrics that track Kubernetes pod level data, use topk(). This is because the head_{agg} family of functions aggregates across all time series in the graph, and if you have a metric with high churns, you can miss outliers (depending on their values). In contrast, topk() takes the top x time series based on their value at each timestamp.

tail_{agg}

tail_{agg} sorts the time series by the largest value based on the specified aggregation function and returns the bottom n number of series.

The list of available aggregation functions are:

  • avg
  • min
  • max
  • sum
  • count

For example, tail_avg(MY_METRIC{}, 10) returns the bottom 10 time series sorted by the largest average of their values.

In most cases, tail_{agg}() is appropriate. However, if you have times series with a high churn rate, such as metrics that track Kubernetes pod level data, use bottomk(). This is because the tail_{agg} family of functions aggregates across all time series in the graph, and if you have a metric with high churns, you can miss outliers (depending on their values). In contrast, bottomk() takes the bottom x time series based on their value at each timestamp.

Access the Prometheus APIs

Chronosphere exposes the Prometheus API endpoints. Read the Prometheus API overview documentation for more details.

DictionaryQuery Builder