Moonbase Query Language
Moonbase ships with a custom query language that allows users to query the API using a language that closely resembles native SQL.
The current iteration of MQL is v0.
Schema-less
On log ingestion, Moonbase indexes each individual field, along with the data types. This allows Moonbase to ingest any JSON-formatted input
For example, imagine you send Moonbase a payload that looks like:
{
"date": 1714005647.6969,
"source": "stdout",
"container_id": "b87fc7725f734fd6b5a56e1cdf990174-3165338177",
"container_name": "API-container-definition",
"ecs_cluster": "Internal-production",
"meta": {
"time": "2024-04-28T17:35:37.9848259Z",
"level": "INFO",
"msg": "GET /v1/environments/1C9y47b5rLS32mcVsG9V5W/components",
"service": "http",
"http": {
"status": 200,
"duration": 4778294,
"size": 29,
"ip": "68.8.141.151"
}
},
"ecs_task_arn": "arn:aws:ecs:us-west-2:398234872511:task/Internal-production/b87fc7725f734fd6b5a56e1cdf990174",
"ecs_task_definition": "API-production:56"
}Moonbase will index the above fields so that you can search meta.http.status = 200 almost instantly.
Lang v0
=
Exact match on a particular field:
meta.http.status = 200!=
Find any log that isn't of status 200:
meta.http.status != 200like
Wildcard match an IP:
meta.http.ip like '68.8.%':ilike
Case insensitive.
meta.level ilike '%inf%':Greater Than
Useful for finding logs with minimum status levels.
meta.http.status > 200Greater Than or Equal To
Find all logs that are 400 or above.
meta.http.status >= 400Less than
Find any log with a healthy status
meta.http.status < 400Less Than or Equal To
Find some sizes:
meta.http.size <= 50More Examples
You can search on your own timestamps:
date < 1714509064.278388You can query attributes just like the standard columns as long as you respect the bracket notation.
Complex Queries
And:
You'll likely want to narrow down with mulitple clauses
log.http.status = 200 and log.msg = 'POST /sync'Or:
Maybe you want to look for two specific error codes
log.http.status = 413 or log.http.status = 429Grouping Queries
(log.http.status = 413 and log.http.status = 429) or (log.http.status = 200 and log.msg = 'POST /sync')