Merge pull request #75 from simranquirky/example-queries

Example queries

Author: Manazsharma

docs/example-queries.md

@@ -1,41 +1,130 @@
-# Example Queries
-
+# OpenObserve Query Examples
 
 We will use the k8s [sample logs data](https://zinc-public-data.s3.us-west-2.amazonaws.com/zinc-enl/sample-k8s-logs/k8slog_json.json.zip) to demonstrate the sample queries that you can use.
 
+To ingest this sample data refer to this [guide.](../getting-started#load-sample-data)
+
+
+## Text Search Queries
+
+**Search all fields containing the word "error" using full-text index:**
+
+```sql
+match_all('error')
+```
+
+![Full text Search](../images/example-queries/match-all-error.png)
+
+- `match_all` searches only the fields configured for full-text search. By default, these include: `log`, `message`, `msg`, `content`, `data`, and `json`.
+- If you want more fields to be scanned, configure them under stream settings.
+
+**Search for "error" in just the `log` field (more efficient):**
+```sql
+str_match(log, 'error')
+```
+    ![String Match](../images/example-queries/log-error.png)
+
+## Numeric Field Filters
+
+**Find logs where `code` is exactly 200:**
+```sql
+code = 200
+```
+    ![Exact Numeric Match](../images/example-queries/code.png)
+
+**Find logs where `code` is missing (`null`):**
+```sql
+code is null
+```
+    ![Null Numeric Match](../images/example-queries/code-is-null.png)
+
+**Find logs where `code` has any value:**
+```sql
+code is not null
+```
+    ![Not-Null Numeric Match](../images/example-queries/is-not-null.png)
+
+
+**Avoid using `code = ''` or `code != ''`** — these do not work properly for numeric fields.
+
+![Inappropriate Numeric Match](../images/example-queries/inappropriate.png)
+
+
+**Logs where `code` is greater than 399:**
+```sql
+code > 399
+```
+    ![Greater than Numeric Match](../images/example-queries/greater-than.png)
+
+
+**Logs where `code` is greater than or equal to 400:**
+```sql
+code >= 400
+```
+    ![Greater than Equal to Numeric Match](../images/example-queries/greater-than-equalto.png)
+
+**`code => 400` is invalid syntax.** Always use SQL-compatible operators like **>=**.
+
+![Invalid Syntax](../images/example-queries/equalto-greaterthan-error.png)
+
+
+## Filtering using WHERE Clause
+
+**Filter by service and status code:**
+```sql
+SELECT * FROM your_stream_name 
+WHERE service_name = 'api-gateway' 
+  AND code >= 500
+```
+    ![Filtering Queries](../images/example-queries/filtering.png)
+
+
+**Exclude health check logs:**
+```sql
+SELECT * FROM your_stream_name 
+WHERE NOT str_match(log, 'health-check')
+```
+    ![Filtering Queries](../images/example-queries/exclude-filtering.png)
+
+## Grouping and Counting
+
+**Group Logs over time**
+
+```sql
+SELECT histogram(_timestamp) as ts, count(*) as total_logs
+FROM your_stream_name
+GROUP BY ts
+```
+    ![Group Logs](../images/example-queries/group-logs.png)
+
+
+**Find top 10 IP addresses by request volume:**
+```sql
+SELECT 
+  client_ip,
+  count(*) AS request_count
+FROM your_stream_name
+GROUP BY client_ip
+ORDER BY request_count DESC
+LIMIT 10
+```
+    ![Top 10 by request volume](../images/example-queries/top-10.png)
+
+
+
+## Aggregations & Complex Queries
+
+**Histogram of log timestamps with status code counts:**
+```sql
+SELECT 
+  histogram(_timestamp) AS ts_histogram, 
+  count(CASE WHEN code = 200 THEN 1 END) AS code_200_count,
+  count(CASE WHEN code = 401 THEN 1 END) AS code_401_count,
+  count(CASE WHEN code = 500 THEN 1 END) AS code_500_count
+FROM your_stream_name
+GROUP BY ts_histogram
+```
 
-- To search for all the fields containing the word `error` using `Inverted Index`:
-    - `match_all('error')`
-    - - match_all searches only the fields that are configured for full text search. Default set of fields are `log`, `message`, `msg`, `content`, `data`, `json`. If you want more fields to be scanned during full text search, you can configure them under stream settings. You should use `str_match` for full text search in specific fields.
-- Search only `log` field for error. This is much more efficient than `match_all` as it search in a single field.
-    - `str_match(log, 'error')`
-- To search for all log entries that have log entries where `code is 200` . code is a numeric field
-    - `code=200`
-- To search for all log entries where code field does not contain any value
-    - ✅ `code is null` 
-    - ❌ code=' ' will not yield right results
-- To search for all log entries where code field has some value
-    - ✅ `code is not null` 
-    - ❌ code!=' ' will not yield right results
-- code > 399
-    - `code>399`
-- code >= 400
-    - ✅ `code >= 400` 
-    - ❌ code=>400 will not work
-- A mildly complex query
-    - <pre> `SELECT histogram(_timestamp) as ts_histogram, 
-    count(case when code=200 then 1 end) as code_200_count, 
-    count(case when code=401 then 1 end) as code_401_count, 
-    count(case when code=500 then 1 end) as code_500_count FROM quickstart1 GROUP BY ts_histogram`</pre>
-    - If you are looking to draw complex charts based on values in the logs (e.g. status code), you should use standard drag and drop charting functionality of OpenObserve which is very powerful and you do not have to write any SQL queries manually. Most users will be able to build 99% + of their required dashboards without writing any SQL.
-
-- Percentile P95 P99
-    
-    ```sql
-    SELECT histogram(_timestamp) as x_axis_1,  
-        approx_percentile_cont(duration, 0.95) as percentile_95, 
-        approx_percentile_cont(duration, 0.99) as percentile_99 
-    FROM default 
-        where service_name='$service' 
-        GROUP BY x_axis_1 ORDER BY x_axis_1
-    ```
+Replace `your_stream_name` with the actual stream name in your OpenObserve setup.
+- `histogram(_timestamp)` bins timestamps into uniform intervals (e.g. hourly). You can configure the granularity in the UI or query if needed.
+    ![Histogram of log timestamps](../images/example-queries/histogram.png)