Using PromQL in Chronosphere Observability Platform

Prometheus Query Language (PromQL) lets you select and aggregate time series data in real time.

This documentation provides an introduction to PromQL and the features and syntax most relevant to Chronosphere Observability Platform. For full details about PromQL, read the Prometheus documentation (opens in a new tab).

Observability Platform is fully compatible with PromQL (opens in a new tab). If you need labels to differentiate between clusters, namespaces, and other items, the PromQL queries in existing dashboards, alerts, and recording rules need to reflect this.

Basic querying

All PromQL expressions start with a selector, which is typically the name of the metric followed by a set of labels, values, and operators. A query returns one or more time series that match the criteria. PromQL refers to these as instant vectors because they represent a set of time series where every single data point maps to a timestamp at that instant.

|<------------name------------->|<---labels--->|

rate(node_network_receive_bytes_total{device=~"eth1"} [5m]) * 8

|<-------------------selector------------------>|   |<->|
|<-----------------------function------------------------>|  ^ operator

For example, an app updates a metric to keep a total of the bytes received by a particular node. The app names the metric node_network_receive_bytes_total.

The following query returns all time series that match the metric name:

node_network_receive_bytes_total{}

To return only time series with a specific label and value, include them in curly brackets ({}) after the metric name.

The following query returns all time series that match the metric name with a value for the device equal to eth1:

node_network_receive_bytes_total{device="eth1"}

PromQL supports dozens of arithmetic, comparison, logical, and aggregation operators. You can find a full list in the Prometheus documentation (opens in a new tab).

You can combine multiple labels and values with commas.

The following query returns all time series that match the metric name with a value for the device label equal to eth1 and a value for the instance label equal to production:

node_network_receive_bytes_total{device="eth1", instance="production"}

PromQL supports regular expression matching and negation in label queries:

• = : Select labels equal to the provided string.
• != : Select labels not equal to the provided string.
• =~ : Select labels that match the provided string based on a regular expression.
• !~ : Select labels that don't match the provided string based on a regular expression.

The following query returns all time series that match the metric name with a value that begins with eth followed by any other character for the device label:

node_network_receive_bytes_total{device=~"eth.+"}

Filter values to a range

Typically you need to filter results to a narrower range based on a time range or time range offset. PromQL refers to these as range vectors, as they represent a set of time series where every timestamp maps to a range of data points from some point in the past determined by the query.

The following query returns all time series with an offset of an hour ago that match the metric name with a value for the device label that matches the value eth0:

node_network_receive_bytes_total{device="eth0"} offset 1h

Find more details about the offset modifier in the PromQL documentation (opens in a new tab).

Generally you use PromQL to return a range vector to then use with a function to perform calculations on the resulting range of time series.

The following query returns all time series from the last ten minutes that match the metric name with a value for the device label that matches the value eth0:

node_network_receive_bytes_total{device="eth0"}[10m]

Applying functions

PromQL functions (opens in a new tab) perform calculations with and on your metrics data, letting you complete complex processing with pre-built operations.

Each function takes different arguments, but typically at minimum, an instant or range vector. You can use standard arithmetic and binary comparison operators inside and outside the function such as addition, subtraction, greater than, or less than. Using operators is one of the main methods to perform calculations on a combination of different time series. However if you apply the operator to more than one instant vectors, it applies only to matching series.

You can find more information about matching series and vectors in the PromQL documentation (opens in a new tab).

PromQL has dozens of functions, but a popular one is rate(), which calculates the per-second average rate of increase of the multiple time series in a range vector.

The following query calculates the per-second average rate of increase over the last 10 minutes to the matching metric name with a value for the device label equal to eth0:

rate(node_network_receive_bytes_total{device="eth0"}[10m])

Aggregating time series

Use PromQL aggregation functions to reduce the elements in a vector returned by a query.

For example, a popular aggregation function is sum(), which totals the values of resulting time series from a query and returns one element.

The following query returns the total values of all time series with an offset of five minutes ago that match the metric name with a value for the device label that matches the value eth0:

sum(node_network_receive_bytes_total{device="eth0"} offset 5m)

Another aggregation function is avg(), which averages the values of resulting time series from a query and returns one element.

You can group time series by labels, returning an element for each unique value of the label using the by or without clause in a query.

• by: Groups time series by the labels you specify.
• without: Groups or every other labels that has differing values.

The following query returns the average values of all time series that match the metric name with a value for the device label equal to eth0 grouped by unique values for the k8s_cluster label:

avg(node_network_receive_bytes_total{device="eth0"}) by (k8s_cluster)

Querying histograms

The Observability Platform histogram metric type persists a histogram as one data point and one time series. Query methods depend on the type of histogram you're querying.

Querying histogram metric types

A histogram of the histogram metric type is a single structured value that contains all of the information about the histogram. The Observability Platform histogram metric type supports Prometheus native histograms and OpenTelemetry exponential histograms.

To query histograms in Observability Platform, use PromQL histogram functions (opens in a new tab).

The following querying examples use a histogram metric named http_request_duration_seconds. If the metric being queried instead uses delta temporality, replace uses of the rate() function in these examples with sum_per_second() and ensure that the step value equals the sliding time window's value. For more information, see Querying delta temporality metrics.

Rate of HTTP requests

Use the histogram_count() function to calculate the rate of HTTP requests:

histogram_count(sum(rate(http_request_duration_seconds{}[5m])))

Average HTTP request duration

Use the histogram_avg() function to query the average HTTP request duration:

histogram_avg(sum(rate(http_request_duration_seconds[5m])))

90th percentile HTTP request duration

Use the histogram_quantile() function to query the 90th percentile HTTP request duration by HTTP method and request path:

histogram_quantile(0.9, sum(rate(http_request_duration_seconds[5m])))

Percentage of HTTP requests under given latency

Service level objectives are commonly defined in tolerances by percentile, such as delivering 90% of requests in less than 200 ms and 99% of requests in less than 500 ms. Use the histogram_fraction() function to calculate the percentage of requests with responses in 200 ms or less:

histogram_fraction(0, 0.2, sum(rate(http_request_duration_seconds[5m])))

Querying legacy Prometheus histograms

If you're querying a histogram with a metric name ending in _bucket, you're querying a legacy Prometheus histogram.

A legacy Prometheus histogram is composed of individual counter time series and stored as separate time series. For example, if your histogram aggregates HTTP request observations and is named http_request_duration_seconds, the resulting time series is:

• http_request_duration_seconds_bucket with a time series for each unique bucket. The time series has a label named le whose value represents the bucket's upper boundary.
• http_request_duration_seconds_sum, the sum of all observed values.
• http_request_duration_seconds_count, the total count of all observed values.

The scrape endpoint exposes:

http_request_duration_seconds_bucket{le="0.1"} 2764
http_request_duration_seconds_bucket{le="0.25"} 3653
http_request_duration_seconds_bucket{le="0.5"} 8735
http_request_duration_seconds_bucket{le="0.75"} 12763
http_request_duration_seconds_bucket{le="1"} 13172
http_request_duration_seconds_bucket{le="+Inf"} 13865
http_request_duration_seconds_sum 7732
http_request_duration_seconds_count 13865

Using http_request_duration_seconds as an example, you can write the following PromQL queries:

Rate of HTTP requests (legacy)

Use the rate() function and the _count time series to calculate the rate of HTTP requests:

sum(rate(http_request_duration_seconds_count[5m]))

Average HTTP request duration (legacy)

Query the average HTTP request duration by diving the sum of observations by the count of observations:

sum(rate(http_request_duration_seconds_sum[5m])) / sum(rate(http_request_duration_seconds_count[5m]))

90th percentile HTTP request duration (legacy)

Use the histogram_quantile() function to get the 90th percentile HTTP request duration by HTTP method and request path:

histogram_quantile(0.9, sum by(le)(rate(http_request_duration_seconds_bucket[5m])))

Custom functions

In addition to the standard PromQL functions, Chronosphere supports the following custom functions:

head_{agg}

head_{agg}(q, n) sorts the time series by the largest value based on the specified aggregation function and returns the top n number of series.

The list of available aggregation functions are:

• avg
• min
• max
• sum
• count

For example, head_avg(MY_METRIC{}, 10) returns the top 10 time series sorted by the largest average of their values.

In most cases, head_{agg}() is appropriate. However, if you have time series with a high churn rate, such as metrics that track Kubernetes pod level data, use topk(). This is because the head_{agg} family of functions aggregates across all time series in the graph, and if you have a metric with high churns, you can miss outliers (depending on their values). In contrast, topk() takes the top x time series based on their value at each timestamp.

tail_{agg}

tail_{agg} sorts the time series by the largest value based on the specified aggregation function and returns the bottom n number of series.

The list of available aggregation functions are:

• avg
• min
• max
• sum
• count

For example, tail_avg(MY_METRIC{}, 10) returns the bottom 10 time series sorted by the largest average of their values.

In most cases, tail_{agg}() is appropriate. However, if you have times series with a high churn rate, such as metrics that track Kubernetes pod level data, use bottomk(). This is because the tail_{agg} family of functions aggregates across all time series in the graph, and if you have a metric with high churns, you can miss outliers (depending on their values). In contrast, bottomk() takes the bottom x time series based on their value at each timestamp.

Custom functions

In addition to the standard PromQL functions, Chronosphere supports the following custom functions:

sum_per_second()

sum_per_second() calculates the per-second rate for a delta counter or delta histogram time series. It is equivalent to dividing the result of sum_over_time() by the sliding time window duration.

Assuming a step value of 5m, these PromQL queries return the same result:

sum_per_second(http_request_count{}[5m])

sum_over_time(http_request_count{}[5m]) / 300