Observability Query Language

This repository is a demo of the new Observability Query Language. This is a research project and is not production ready.

The demo consists of:

a language parser (PipeSQL implementation)
sample datasets (tables in a ClickHouse database)
a data explorer application (Grafana plugin)

Get Started

You'll need only two tools to run the demo:

git
Docker

Here are the steps:

Clone the repository:

git clone https://github.com/QuesmaOrg/oql.git

Copy .env.example to .env (by default it will use ClickHouse running in Docker):
```
cp .env.example .env
```
Build and run. The first build may take a few minutes:
```
docker compose up --build
```
Click here to start exploring:
http://localhost:3000/a/quesma-oql-app

Examples

-- OpenSSH logs
FROM openssh_logs
|> ORDER BY timestamp DESC
|> WHERE timestamp BETWEEN $start AND $end

-- Filter out sshd logs, break-in attempts logs
|> WHERE source = 'sshd'
|> WHERE msg ILIKE '%break-in attempt!%'

-- Parse IP, hostname from loglines
--|> EXTEND ENRICH_LLM(msg, 'extract IP address from logline') AS extracted_ip
|> WHERE msg ILIKE 'reverse mapping checking getaddrinfo for % [%] failed - POSSIBLE BREAK-IN ATTEMPT!'
|> EXTEND PARSE_PATTERN(msg, 'reverse mapping checking getaddrinfo for % [%] failed - POSSIBLE BREAK-IN ATTEMPT!') AS extracted_host, extracted_ip

|> SELECT timestamp, msg, extracted_ip

-- IP enrichment
|> EXTEND ENRICH_IP(extracted_ip) AS enriched_ip

-- IP enrichment - bot IPs
|> EXTEND ENRICH_IP_BOTS(enriched_ip.hostname) AS is_bot
|> WHERE is_bot

-- Aggregate by country
|> AGGREGATE count(*) AS country_count GROUP BY enriched_ip.country_long
|> ORDER BY country_count DESC

|> LIMIT 100

Showcased Quesma-PipeSQL operators: PARSE_PATTERN, ENRICH_IP, ENRICH_IP_BOTS

Datasets

You can explore the following tables. Tables contain logs from different sources.

apache_logs Logs from https://zenodo.org/records/8275861 (Apache.zip/Apache_full.log)
hadoop_logs Logs from https://zenodo.org/records/8275861 (Hadoop.zip/Hadoop_full.log)
linux_logs Logs from https://zenodo.org/records/8275861 (Linux.zip/Linux_full.log)
openssh_logs Logs from https://zenodo.org/records/8275861 (OpenSSH.zip/OpenSSH_full.log)

Observability Query Language uses the IP2Location LITE database for IP geolocation.

Learn more

SQL Has Problems. We Can Fix Them: Pipe Syntax In SQL

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
.config		.config
.github/workflows		.github/workflows
.vscode		.vscode
assets		assets
builder		builder
datasets		datasets
pkg		pkg
provisioning/plugins		provisioning/plugins
src		src
tests		tests
.cprc.json		.cprc.json
.env.example		.env.example
.eslintrc		.eslintrc
.gitignore		.gitignore
.nvmrc		.nvmrc
.prettierrc.js		.prettierrc.js
CHANGELOG.md		CHANGELOG.md
LICENSE		LICENSE
Magefile.go		Magefile.go
Makefile		Makefile
README.md		README.md
docker-compose.yaml		docker-compose.yaml
go.mod		go.mod
go.sum		go.sum
jest-setup.js		jest-setup.js
jest.config.js		jest.config.js
package-lock.json		package-lock.json
package.json		package.json
playwright.config.ts		playwright.config.ts
tsconfig.json		tsconfig.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Observability Query Language

Get Started

Examples

Datasets

Learn more

About

Uh oh!

Releases

Packages

Uh oh!

Contributors 2

Uh oh!

Languages

License

QuesmaOrg/oql

Folders and files

Latest commit

History

Repository files navigation

Observability Query Language

Get Started

Examples

Datasets

Learn more

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors 2

Uh oh!

Languages

Packages