DQL CHEAT SHEET

COMMANDS - LOAD DATA

Command Description Example
data Generates sample data for testing • data json: """[{"timestamp": "2023-03-31T05:57:42.451304000Z",
queries. Can enter data in record "severity":"ERROR", "event":"failed to find product"}]"""
format or json format • data record(timestamp=now()-1m, severity="INFO", event="search
successful"), record(timestamp=now(), severity="ERROR", event="failed
to find product")
fetch Defines which data to load from • fetch logs, from:now() - 24h, to:now() - 2h
Dynatrace and optionally process in • fetch logs, timeframe:"2021-10-20T00:00:00Z/2021-10-28T12:00:00Z"
the following processing pipeline
steps.

COMMANDS – FILTERING & FORMATTING

Command Description Example
fields Selects just the relevant fields fetch logs
| fields timestamp, loglevel, log.source, content
fieldsAdd Appends or replaces an existing field fetch logs
| filedsAdd deployment = k8s.namespace.name
fieldsRemove Removes a column (field) fetch logs
|fieldsRemove loglevel
fieldsRename Renames a column (field) fetch logs
| fieldsRename severity=loglevel
fieldsSummary Calculates the cardinality of field fetch logs, samplingRatio: 100000
values | fieldsSummary dt.entity.host, topValues: 10, extrapolateSamples: true
filter Narrows the number of records based fetch logs
on the filter expression | filter loglevel == "ERROR"
filterOut Remove records (logs, events, etc.) fetch events
based on a condition | filterOut event.category == "INFO"
limit Limits the number of returned fetch logs
records. | limit 10
lookup Adds fields from lookup table to fetch events
source table by finding a match | summarize restart_count = countIf(event.type == "PROCESS_RESTART"),
between both tables by:{dt.entity.process_group_instance}
| lookup [ fetch logs
| summarize count = countIf(loglevel == "ERROR"),
by:{dt.entity.process_group_instance}
], sourceField:dt.entity.process_group_instance,
lookupField:dt.entity.process_group_instance, prefix:"log."
parse parse and extract data from a field's fetch events
value | fieldsAdd fieldToParse = "117.169.75.66--[14/Mar/2016:23:34:25 +0200]
GET//db/scripts/setup.php HTTP/1.1 404 474"
| parse fieldToParse, "ipv4:ip LD HTTPDATE:time ']' ld:text EOL"
sort Sorts value in ascending or sort timestamp desc
descending order
summarize Group records together that have the fetch events
same value | summarize count(), by:{event.category}

timeseries Loads, filters, and groups metric data timeseries avg(dt.host.cpu.usage)

over a time frame
 DQL CHEAT SHEET

FUNCTIONS - AGGREGATION FUNCTIONS - CONVERSION

Function Description Function Description
avg() Calculates the average value of a field toArray() Returns the value if it is an array.
collectDistinct() Collects the values of the provided field into Otherwise, converts a value to the single
an array element array holding that value.
correlation() Calculates the Pearson correlation of two toBoolean() Converts a value to Boolean if the value is
numeric fields of a suitable type. If the argument is an
count() Counts the total number of records array, the element at position 0 is
countDistinct() Calculates the cardinality of unique values of converted.
a field toDouble() Converts a value to DOUBLE if the value is
countIf() Counts the number of records that match of a suitable type. If the argument is an
the condition ARRAY, the element at position 0 is
max() Calculates the maximum value of a field converted.
median() Calculates the median of an expression toDuration() Converts a value to DURATION if the value
min() Calculates the minimum value of a field is of a suitable type. If the argument is an
percentile() Calculates a given percentile of an ARRAY, the element at position 0 is
expression converted.
stddev() Calculates the standard deviation of a field toLong() Converts a value to LONG if the value is of
sum() Calculates the sum of a fields a suitable type. If the argument is an
ARRAY, the element at position 0 is
takeAny() Returns the first non-null value of a field for
converted.
a list of records.
toTimeframe() Converts a value to TIMEFRAME if the
takeFirst() Returns the first value of a field
value is of a suitable type. If the argument
takeLast() Returns the last value of a field
is an ARRAY, the element at position 0 is
takeMax() Retrieves the maximum from a list of records
converted.
takeMin() Retrieves the minimum from a list of records
toTimestamp() Converts a value to TIMESTAMP if the
variance() Calculates the variance of a field
value is of a suitable type. If the argument
is an ARRAY, the element at position 0 is
converted.
FUNCTIONS - ARRAY radianToDegree() Converts the numeric expression of an
Function Description angle in radians to an approximately
array() Creates an ARRAY from the list of given equivalent angle as expressed in degrees.
parameters. Returns null if <numeric_expr> evaluates
arrayAvg() Returns the average of an array. Values to NULL.
that are not numeric are ignored. 0 if degreeToRadian() Converts the numeric expression of an
there is no matching element. angle in degrees to an approximately
arrayDistinct() Returns the array without duplicates equivalent angle as expressed in radians.
arrayFirst() Returns the first element of an array Returns null if <numeric_expr> evaluates
arrayLast() Returns the last element of an array to NULL.
arrayMax() Returns the maximum (biggest) number of asArray() Functions prefixed with as<Type> will try to
an array. Values that are not numeric are asBoolean() cast the input data type to the target but
ignored. NULL if there is no matching asDouble() not do any conversions. It will fail for
element. asDuration() strongly typed fields and produce null for
arrayMin() Returns the minimum (smallest) number asLong() incompatible variants. These functions are
of an array. Values that are not numeric asString() applicable after parsing.
are ignored. NULL if there is no matching asSummaryStats() Returns <Type> value if the value is in the
element. asTimeframe() right type, otherwise NULL.
arrayPercentile () Calculates a given percentile of an array asTimestamp()
encodeBase16() Encodes a given binary/string to a BASE16
arraySize() Returns the size of an array. string
arraySum() Returns the sum of an array. Values that encodeBase64() Encode a given binary/string to a BASE64
are not numeric are ignored. 0 if there is string
no matching element. decodeBase16ToString() Decodes a given BASE16 string to plaintext
collectArray() Collects the values of the provided field decodeBase16ToBinary() Decodes a given BASE16 string to a binary
into an array (preservation of order not decodeBase64ToString() Decodes a given BASE64 string to plaintext
guaranteed). decodeBase64ToBinary() Decodes a given BASE64 string to a binary
 DQL CHEAT SHEET
FUNCTIONS - TIME FUNCTIONS - MATHEMATICAL
Function Description Function Description
duration() Creates a duration from the given abs() Returns the absolute value
amount and time unit. of numeric_expression. Returns NULL
formatTimestamp() Formats a given timestamp according if numeric_expression evaluates to NULL.
to a format string using a given cbrt() Calculates the real cubic root of a numeric
pattern. Timestamps according to the expression.
ISO-8061 standard can be parsed and ceil() Calculates the smallest (closest to negative
converted to the timestamp infinity) DOUBLE value greater than or equal
datatype. to the numeric_expression; is equal to a
timeframe() Creates a timeframe structure from mathematical integer.
the given start and end timestamps. Returns null if numeric_expression evaluates
timestamp() Creates a timestamp using provided to NULL.
values in mandatory parameters. e() Returns Euler’s number.
timestampFromUnixMillis() Creates a timestamp from the given
milliseconds since Unix epoch. exp() Calculates the exponential function e^x,
timestampFromUnixNanos() Creates a timestamp from the given where e is the Euler's number and x is a
nanoseconds since Unix epoch. numeric expression.
timestampFromUnixSeconds() Creates a timestamp from the given floor() Calculates the largest (closest to positive
seconds since Unix epoch. infinity) DOUBLE value less than or equal to
the numeric_expression; and is equal to a
mathematical integer. Returns NULL
FUNCTIONS - MATHEMATICAL if numeric_expression evaluates to NULL.
Function Description hashMd5() Computes the MD5 hash for a given string
sin() Computes the trigonometric sine of expression.
angle <expression> (in radians). hashSha1() Computes the SHA-1 hash for a given string
Returns null if <expression> evaluates to NULL. expression.
hypotenuse() Returns sqrt(x^2 + y^2).
sinh() Computes the hyperbolic sine of <expression>. Returns null if <expression> evaluates to NULL.
Returns null if <expression> evaluates to NULL. log() Calculates the natural logarithm (the base is e,
asin() Computes arc sine of <expression>. The returned angle the Euler's number) of a numeric expression.
is in the range -pi/2 through pi/2. log10() Calculates the decadic (common) logarithm
Returns null if <expression> evaluates to NULL. (the base is 10) of a numeric expression.
cos() Computes the trigonometric cosine of an log1p() Calculates log(1+x), where log is the natural
angle <expression> (in radians). logarithm and x is a numeric expression.
Returns null if <expression> evaluates to NULL. pi() Returns the constant value of PI (Archimedes’
cosh() Computes the hyperbolic cosine of an number).
angle <expression>. power() Raises a numeric expression to a given power.
Returns null if <expression> evaluates to NULL. round() Rounds any numeric value to the specified
acos() Computes arc cosine of <expression>. The returned number of decimal places. If you don't specify
angle is in the range 0.0 through pi. the number of decimal places, it rounds to the
Returns null if <expression> evaluates to NULL. nearest integer.
tan() Computes the trigonometric tangent of signum() Returns the signum (sign) result of an
angle <expression> (in radians). argument. It returns one of four possible
Returns null if <expression> evaluates to NULL. values: -1 (if numeric_expression evaluates to
tanh() Computes the hyperbolic tangent of <expression>. a value less
Returns null if <expression> evaluates to NULL. than 0), 0 (if numeric_expression evaluates
atan() Computes the arc tangent of <expression>. The to 0), 1 (if numeric_expression evaluates to a
returned angle is in the range -p/2 through pi/2. value greater than 0),
Returns null if <expression> evaluates to NULL. or null (if numeric_expression evaluates to
atan2() Computes the angle theta from the conversion of NULL).
rectangular coordinates (x, y) to polar coordinates (r, sqrt() Computes the positive square root of a
theta). Returns null if either of the expressions numeric expression.
evaluates to NULL.
 DQL CHEAT SHEET
FUNCTIONS - STRING FUNCTIONS - OTHER
Function Description Function Description
concat() Concatenates the expressions into a single string. bin() Aligns the value of the numeric or
contains() Searches the string expression for a substring. timestamp into buckets of the given interval
Returns TRUE if the substring was found, FALSE starting at 0 (numeric) or Unix epoch
otherwise. (timestamp).
endsWith() Checks if a string expression ends with a suffix. if() Evaluates the condition, and returns the
Returns TRUE if does, FALSE otherwise. value of either the then or else parameter,
getCharacter() Returns the character for a given position from a depending on whether the condition
string expression. evaluated to true (then) or false or null (else
indexOf() Returns the index of the first occurrence of a - or null if the else parameter is missing).
substring in a string expression. in() Tests if a value is a member of an ARRAY.
lastIndexOf() Returns the index of the last occurrence of a The in function supports multiple haystacks
substring in a string expression. and allows arrays in all arguments.
like() Tests if a string expression matches a pattern. If the isFalseOrNull() Evaluates if an expression is FALSE or NULL.
pattern does not contain percent signs, like() acts
as the == operator (equality check). A percent isNotNull() Tests if a value is not NULL
character in the pattern (%) matches any sequence
of zero or more characters. An underscore in the isNull() Tests if a value is NULL.
pattern (\_) matches a single character.
lower() Converts a string to lowercase. isTrueOrNull() Evaluates if an expression is TRUE or NULL.
matchesPhrase() Matches a phrase against the input string
expression using token matchers. matchesValue() Searches records for a specific value in a
splitString() Splits a string according to parameters set. given attribute. Returns true or false.
Retrieves an array of substrings of the specified now() Returns the current time as a fixed
expression that are adjacent to occurrences of the timestamp of the query start.
given pattern. record() Creates a complex RECORD from the keys
startsWith() Checks if a string expression starts with a prefix. and values of the parameters.
Returns TRUE if does, FALSE otherwise. type() Returns the type of a value as STRING
stringLength() Returns the length of a string expression.
substring() Gets a code unit range using a start index
(inclusive) and an end index (exclusive).
trim() Removes leading and trailing whitespaces. Any
code point <= ASCII 32 in decimal is considered a
whitespace, where ASCII 32 is a blank space.
upper() Converts a string to uppercase.

OPERATORS - NUMERICAL OPERATORS - LOGICAL OPERATORS - STRING

Operator Description Operator Description Operator Description
+ Addition == Equals == Equals
- Subtraction != Not equals != Not equals
* Multiplication NOT Negation < Lower
/ Division AND Logical and <= Lower than or equal
% Modulo (multiplication) > Greater
< Lower OR Logical or (addition) >= Greater than or equal
<= Lower than or equal XOR Exclusive or
> Greater
>= Greater than or equal
== Equals
!= Not equals

• For more examples and details, please click on the title of each table.
• Last updated on May 30th, 2023