Using the "AND" and "OR" operators in queries

This article applies to:

• Querying

 Product edition: All

 Feature Category: Querying

 

Overview:

Wavefront provides three types of boolean operators that can be used in query expressions. These operators are;

  • AND, and
  • OR, or
  • NOT, not 

Details about these operators can be found here . In this KB article, we will discuss the usage of AND and OR boolean operators in query expressions. We will also highlight things that users should be aware of while using these operators. 

 

Comma "," after metric name in ts() expression is an AND operator:

When you filter data in ts() expression by adding source or tags then the comma "," used after the metric is interpreted as an "and" operator when query is executed.

For example;

ts(my_metric, source=server_1)

is same as,

ts(my_metric and source=server_1)

 

Comma "," used anywhere in query line after metric name is interpreted as an OR operator: 

If comma is used anywhere in query line other then right after metric name then it gets interpreted as an "OR" operator when query is executed.

For example;

ts(my_metric, source=server_1, env=prod)

is same as,

ts(my_metric and source=server_1 or env=prod)

you can use combination of "and", "or" and "not" operators in query line as per your use case,

For example;

ts(my_metric, source=server_1, source=server_2, env=prod and not app=my_app)

is same as,

ts(my_metric and source=server_1 or source=server_2 or env=prod and not app=my_app)

Notice that the comma "," after the metric name in above ts() expression is interpreted as an "and" operator while subsequent commas are interpreted as an "or" operator. 

 

Usage of "and" and "or" operator between ts() expressions:

"and" and "or" operators returns boolean output when used between ts() expressions.

For example;

ts(my_metric, source=server_1) and ts(my_other_metric, env=prod) and ts(..) and ..

will return output in the form of boolean zero "0" (False) or boolean one "1" (True). Value will be zero "0" if values for all ts() expressions are non-zero at that point in time and will be zero "0" if values for all ts() expressions are zero.

This is frequently used in alert conditions where you want to trigger alert only when more than one ts() expression conditions are true.

For example, if following alert condition is used;

ts(cpu.percent.metric) > 85 and ts(memory.percent.metric) > 80

then the condition will only become true (boolean "1") when both ts() conditions are true. If CPU and memory usage are above 85 and 80 percent respectively then expressions ts(cpu.percent.metric) > 85 and ts(memory.percent.metric) > 80 will return boolean "1" (True) and the "and" operator on top of it will also return boolean "1" (True) since both values are non-zero. 

You can also use "or" operator between the ts() expressions like this,

ts(my_metric, source=server_1) or ts(my_other_metric, env=prod) or ts(..) or ..

and the output again will be in the form of boolean zero "0" (False) or one "1" (True). Output will only be one "1" if any one of the ts() expressions have non-zero values at that point in time while "0" if ALL the ts() expressions have zero values at that point in time.

 

Note: You will have to use keyword "OR, or" if using it between ts() expression like above as comma "," does not work between ts() expressions.

Similarly, you can use combination of "and" and "or" operators between ts() expressions like this;

(ts(my_metric, source=server_1) or ts(my_metric, source=server_2)) and ts(my_other_metric)

 

See also:

https://docs.wavefront.com/query_language_reference.html#time-series-operators 

https://docs.wavefront.com/query_language_reference.html#query-expressions

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk