Skip to content

docs/extract: clarify extract array examples for path/request_id #980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
withlin wants to merge 1 commit into
base: master
Choose a base branch
from
Open

docs/extract: clarify extract array examples for path/request_id #980

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/victorialogs/logsql.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1878,6 +1878,23 @@ with the biggest number of logs using [`top` pipe](https://docs.victoriametrics.
_time:1d error | extract "ip=<ip> " from _msg | top 10 (ip)
```

If you only need the part before `?` in `_msg`, you can skip `split` and directly extract both pieces:

```logsql
... | extract '<path>?<request_id>' from _msg | stats by (path) count()
```

If you already used [`split` pipe](https://docs.victoriametrics.com/victorialogs/logsql/#split-pipe) to turn `_msg` into an array, placeholders let you pick specific items:

First item:
```logsql
... | split "?" from _msg as parts | extract '["<path>"' from parts
```
Second item:
```logsql
... | split "?" from _msg as parts | extract '["<_>","<request_id>"' from parts
```
Comment on lines +1881 to +1896
Copy link
Contributor

@func25 func25 Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This piece sounds strange and out of context. The example with split on ? is also complicated and adds unnecessary cognitive overhead for anyone want to understand extract pipe without the context from #978.

Better wording might be fine, but I'd prefer not to add a specialized example. Let's see what other contributors think


It is expected that `_msg` field contains `ip=...` substring ending with space. For example, `error ip=1.2.3.4 from user_id=42`.
If there is no such substring in the current `_msg` field, then the `ip` output field will be empty.

Expand Down Expand Up @@ -1988,6 +2005,27 @@ For example, the following `pattern` properly matches `a < b` text by extracting
<left> &lt; <right>
```

If a field already contains a JSON array (for example produced by [`split` pipe](https://docs.victoriametrics.com/victorialogs/logsql/#split-pipe)), placeholders can skip earlier elements. The pattern below captures only the second array item into `second`:

```logsql
... | extract '["<_>","<second>"' from parts
```

For Example: split `_msg` by `?`, then extract `path` and `request_id` from the resulting array

```
2025-12-30 09:43:30.254522801 ["/api/v1/users","RequestId=1ab2c345-d6e7-4890-b1c2-d3e4f5a6b7c8"]
```

```logsql
kubernetes.container_name:"nginx"
| split "?" from _msg as parts
| extract '["<path>","<request_id>"' from parts
| stats by (path) count()
```

This produces `path="/api/v1/users"` and `request_id="RequestId=1ab2c345-d6e7-4890-b1c2-d3e4f5a6b7c8"`, ready for grouping by `path`.

#### Conditional extract

If some log entries must be skipped from [`extract` pipe](https://docs.victoriametrics.com/victorialogs/logsql/#extract-pipe), then add `if (<filters>)` filter after the `extract` word.
Expand Down