LogQL Queries

# Stream selectors (like PromQL)
{job="varlogs"}
{job="nginx", env="production"}
{job=~".*api.*"}

# Line filters
{job="varlogs"} |= "error"              # Contains
{job="varlogs"} != "debug"              # Does not contain
{job="varlogs"} |~ "error|warning"      # Regex match
{job="varlogs"} !~ "debug|trace"        # Regex not match

# Parser (extract fields)
{job="nginx"} | json
{job="nginx"} | logfmt
{job="nginx"} | pattern "<ip> - - <_> \"<method> <uri> <_>\" <status>"
{job="nginx"} | regexp "(?P<ip>\\d+\\.\\d+\\.\\d+\\.\\d+)"

# Label filters (after parsing)
{job="nginx"} | json | status >= 400
{job="nginx"} | json | method = "POST"
{job="nginx"} | json | uri =~ "/api/.*"

# Aggregations
count_over_time({job="varlogs"} |= "error" [5m])
rate({job="nginx"} | json | status >= 500 [1m])
sum by (status) (count_over_time({job="nginx"} | json [5m]))

# Query last hour
logcli query '{job="varlogs"}' --since=1h

# Tail logs
logcli query '{job="varlogs"}' --tail

# Output as JSON
logcli query '{job="varlogs"}' -o jsonl

# Quiet mode (logs only)
logcli query '{job="varlogs"}' --quiet