How do I count lines by labels?

hiltonadmin · December 16, 2023, 2:39am

I have an apache log and I want to know which urls are requested most often. So I already have the following

{filename="/var/log/apache2/other_vhosts_access.log"} | regexp `(?P<domain>[^:]+).* "(?P<method>[A-Z]+) (?P<url>(/[^/? ]+){0,2}).*`

which is working fine (the labels have the right values)
I now want the equivilant of the SQL Query select count(*) from ... group by url, domain, method;
I tried the following:

count by(domain, url, method) (rate({filename="/var/log/apache2/other_vhosts_access.log"} | regexp `(?P<domain>[^:]+).* "(?P<method>[A-Z]+) (?P<url>(/[^/? ]+){0,2}).*` [$__range]))

but this does not give me a single value per label tupel, but with

count by(domain, url, method) ({filename="/var/log/apache2/other_vhosts_access.log"} | regexp `(?P<domain>[^:]+).* "(?P<method>[A-Z]+) (?P<url>(/[^/? ]+){0,2}).*`)

I get the error: parse error at line 1, col 155: syntax error: unexpected )

tonyswumac · December 18, 2023, 4:35pm

Try something like this:

sum by (domain, url, method) (
  count_over_time(
    <YOUR_QUERY>
  [$__interval])
)

You can even slap topk on top:

topk(10, sum by (domain, url, method) (
  count_over_time(
    <YOUR_QUERY>
  [$__interval])
))

If you can share an example log line I can test for you in the logql analyzer as well.

hiltonadmin · December 18, 2023, 4:54pm

The problem is that this is still displayed as graph over time and not as list where the time is ignored: