How do I unwrap multiple labels in a LogQL query?

Question

I have the following LogQL query:

   sum_over_time({filename=~".+Notifications.+", log_level="INFO"} 
   |~ "(SentNotifications|DeliveredNotifications)" 
   | regexp "message=\"SentNotifications\", NotificationCount=\"(?P<notifications_sent>\\d+)\"" 
   | regexp "message=\"DeliveredNotifications\", NotificationCount=\"(?P<notifications_delivered>\\d+)\""
   | unwrap notifications_sent [5m])

I would like to unwrap the "notifications_delivered" label in addition to "notifications_sent" label.

Can anyone tell me if this is possible? And if so, how?

Answer 1

to graph both values at the same time, you need to create two queries:

If your log file looks like this

MyValue1: 0.1, MyValue2: 0.3
MyValue1: 0.14, MyValue2: 0.34
MyValue1: 0.24, MyValue2: 0.39

You can graph the first value with:

max_over_time({filename="/var/tmp/mylogs/mylog.log"} |= ``
| pattern "MyValue1: <val1>, MyValue2: <_>"
| unwrap val1 [1m])

Then add a variation on another query, you will have a second line show up in your graph.

max_over_time({filename="/var/tmp/mylogs/mylog.log"} |= ``
| pattern "MyValue1: <_>, MyValue2: <val2>"
| unwrap val2 [1m])

You can also modify and create a new derivative value from multiple labels like this:

# graphs the new 'product' field
max_over_time({filename="/var/tmp/myfiles/afile.log"} |= ``
| pattern "MyValue1: <t1>, MyValue2: <t2>"
| line_format "product={{mulf .t1 .t2}}"
| logfmt
| unwrap product
| __error__ = ""[$__interval]) by (time)