Is there a difference between `| keep` and `by ()`?

kamilcuk · July 16, 2024, 12:56pm

Hi! Consider the following queries:

max_over_time(
   {job="LDCSEC12"}
   | regexp `(?P<time>[^,]*),MinMaxAvg,(?P<category>[^,]*),(?P<name>[^,]*),(?P<count>[^,]*),(?P<min>[^,]*),(?P<avg>[^,]*),`
   | unwrap avg [$__auto]
) by (job)

vs:

max_over_time(
   {job="LDCSEC12"}
   | regexp `(?P<time>[^,]*),MinMaxAvg,(?P<category>[^,]*),(?P<name>[^,]*),(?P<count>[^,]*),(?P<min>[^,]*),(?P<avg>[^,]*),`
   | keep job, avg
   | unwrap avg [$__auto]
)

Is there a difference between them?

I do not see any difference in the results not in execution time. Are they equivalent? Is actually keep slightly preferred, as it removes the labels at an “earlier” (execution wise) step?

tonyswumac · July 16, 2024, 4:50pm

Functionally the two queries are the same. The keep keyword means to keep the labels specified and discard the rest. Generally not needed in normal queries. The only place I find useful is when creating rules in ruler sometimes you might wish to remove unnecessary labels so they don’t show up in your alert then it becomes useful.

Topic		Replies	Views
Is \|~ \| regexp faster than \| regexp? Grafana Loki loki , query-help , logql	3	107	July 23, 2024
Tables, InfluxDB, Killing Group By Grafana	0	368	March 16, 2018
Removing "last_" or "max_" from value string Dashboards regex	0	159	February 27, 2024
Perform set difference on label, where the difference between queries is timestamp Grafana Loki loki , transformations , logql	1	26	November 12, 2024
How to filter result of label_value? Configuration templating	4	52773	November 19, 2020

Is there a difference between `| keep` and `by ()`?

Related topics