LogQL - Metric Query: Sum By Device ID

I am trying to write a logQL query to give me the count of log entries per device id over a duration of 1 minute.
Given the log sample below, I was hoping to get a result set such as:
10d4c0 has a count of 4
950224 has a count of 3
28ef52 has a count of 2

This is what my query looks like:

sum by (device_id) (count_over_time({job=“device-logs”} | pattern `device:<device_id> - Reading something on channel` [1m]))

Unfortunately, this isn’t the result I get using this query. Any help would be greatly appreciated.

Sample Logs:

[INFO ] device:28ef52 - Reading something on channel
[INFO ] device:10d4c0 - Reading something on channel
[INFO ] device:950224 - Reading something on channel
[INFO ] device:10d4c0 - Reading something on channel
[INFO ] device:10d4c0 - Reading something on channel
[INFO ] device:28ef52 - Reading something on channel
[INFO ] device:10d4c0 - Reading something on channel
[INFO ] device:950224 - Reading something on channel
[INFO ] device:950224 - Reading something on channel

Looks like you missed the [INFO ] part of the log.

I would suggest giving regex a try instead of pattern if you don’t need to match all the fields, looks cleaner:

{job=“device-logs”}
  | regexp ".*device:(?P<method>\S+).*"

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.