DQL Essentials Skill
DQL is a pipeline-based query language. Queries chain commands with
|
to filter, transform, and aggregate data. DQL has unique syntax that differs from SQL — load this skill before writing any DQL query.
Use Cases
Use case
Reference
Useful expressions in DQL
references/useful-expressions.md
Smartscape topology navigation syntax and patterns
references/smartscape-topology-navigation.md
Dynatrace Semantic Dictionary: field namespaces, data models, stability levels, query patterns, and best practices
references/semantic-dictionary.md
Various applications of summarize and makeTimeseries commands
references/summarization.md
Operators (in, time alignment
@
)
references/operators.md
Array and timeseries manipulation (creation, modifications, use in filters) using DQL
references/iterative-expressions.md
Query optimization (filter early, time ranges, field selection, performance)
references/optimization.md
DQL Reference Index
Description
Items
Data Types
array
,
binary
,
boolean
,
double
,
duration
,
long
,
record
,
string
,
timeframe
,
timestamp
,
uid
Parameter Value Types
bucket
,
dataObject
,
dplPattern
,
entityAttribute
,
entitySelector
,
entityType
,
enum
,
executionBlock
,
expressionTimeseriesAggregation
,
expressionWithConstantValue
,
expressionWithFieldAccess
,
fieldPattern
,
filePattern
,
identifierForAnyField
,
identifierForEdgeType
,
identifierForFieldOnRootLevel
,
identifierForNodeType
,
joinCondition
,
jsonPath
,
metricKey
,
metricTimeseriesAggregation
,
namelessDplPattern
,
nonEmptyExecutionBlock
,
prefix
,
primitiveValue
,
simpleIdentifier
,
tabularFileExisting
,
tabularFileNew
,
url
Commands
append
,
data
,
dedup
,
describe
,
expand
,
fetch
,
fields
,
fieldsAdd
,
fieldsFlatten
,
fieldsKeep
,
fieldsRemove
,
fieldsRename
,
fieldsSnapshot
,
fieldsSummary
,
filter
,
filterOut
,
join
,
joinNested
,
limit
,
load
,
lookup
,
makeTimeseries
,
metrics
,
parse
,
search
,
smartscapeEdges
,
smartscapeNodes
,
sort
,
summarize
,
timeseries
,
traverse
Functions — Aggregation
avg
,
collectArray
,
collectDistinct
,
correlation
,
count
,
countDistinct
,
countDistinctApprox
,
countDistinctExact
,
countIf
,
max
,
median
,
min
,
percentRank
,
percentile
,
percentileFromSamples
,
percentiles
,
stddev
,
sum
,
takeAny
,
takeFirst
,
takeLast
,
takeMax
,
takeMin
,
variance
Functions — Array
arrayAvg
,
arrayConcat
,
arrayCumulativeSum
,
arrayDelta
,
arrayDiff
,
arrayDistinct
,
arrayFirst
,
arrayFlatten
,
arrayIndexOf
,
arrayLast
,
arrayLastIndexOf
,
arrayMax
,
arrayMedian
,
arrayMin
,
arrayMovingAvg
,
arrayMovingMax
,
arrayMovingMin
,
arrayMovingSum
,
arrayPercentile
,
arrayRemoveNulls
,
arrayReverse
,
arraySize
,
arraySlice
,
arraySort
,
arraySum
,
arrayToString
,
vectorCosineDistance
,
vectorInnerProductDistance
,
vectorL1Distance
,
vectorL2Distance
Functions — Bitwise
bitwiseAnd
,
bitwiseCountOnes
,
bitwiseNot
,
bitwiseOr
,
bitwiseShiftLeft
,
bitwiseShiftRight
,
bitwiseXor
Functions — Boolean
exists
,
in
,
isFalseOrNull
,
isNotNull
,
isNull
,
isTrueOrNull
,
isUid128
,
isUid64
,
isUuid
Functions — Cast
asArray
,
asBinary
,
asBoolean
,
asDouble
,
asDuration
,
asIp
,
asLong
,
asNumber
,
asRecord
,
asSmartscapeId
,
asString
,
asTimeframe
,
asTimestamp
,
asUid
Functions — Constant
e
,
pi
Functions — Conversion
toArray
,
toBoolean
,
toDouble
,
toDuration
,
toIp
,
toLong
,
toSmartscapeId
,
toString
,
toTimeframe
,
toTimestamp
,
toUid
,
toVariant
Functions — Create
array
,
duration
,
ip
,
record
,
smartscapeId
,
timeframe
,
timestamp
,
timestampFromUnixMillis
,
timestampFromUnixNanos
,
timestampFromUnixSeconds
,
uid128
,
uid64
,
uuid
Functions — Cryptographic
hashCrc32
,
hashMd5
,
hashSha1
,
hashSha256
,
hashSha512
,
hashXxHash32
,
hashXxHash64
Functions — Entities
classicEntitySelector
,
entityAttr
,
entityName
Functions — Time series aggregation for expressions
avg
,
count
,
countDistinct
,
countDistinctApprox
,
countDistinctExact
,
countIf
,
end
,
max
,
median
,
min
,
percentRank
,
percentile
,
percentileFromSamples
,
start
,
sum
Functions — Flow
coalesce
,
if
Functions — General
jsonField
,
jsonPath
,
lookup
,
parse
,
parseAll
,
type
Functions — Get
arrayElement
,
getEnd
,
getHighBits
,
getLowBits
,
getStart
Functions — Iterative
iAny
,
iCollectArray
,
iIndex
Functions — Mathematical
abs
,
acos
,
asin
,
atan
,
atan2
,
bin
,
cbrt
,
ceil
,
cos
,
cosh
,
degreeToRadian
,
exp
,
floor
,
hexStringToNumber
,
hypotenuse
,
log
,
log10
,
log1p
,
numberToHexString
,
power
,
radianToDegree
,
random
,
range
,
round
,
signum
,
sin
,
sinh
,
sqrt
,
tan
,
tanh
Functions — Network
ipIn
,
ipIsLinkLocal
,
ipIsLoopback
,
ipIsPrivate
,
ipIsPublic
,
ipMask
,
isIp
,
isIpV4
,
isIpV6
Functions — Smartscape
getNodeField
,
getNodeName
Functions — String
concat
,
contains
,
decodeBase16ToBinary
,
decodeBase16ToString
,
decodeBase64ToBinary
,
decodeBase64ToString
,
decodeUrl
,
encodeBase16
,
encodeBase64
,
encodeUrl
,
endsWith
,
escape
,
getCharacter
,
indexOf
,
lastIndexOf
,
levenshteinDistance
,
like
,
lower
,
matchesPattern
,
matchesPhrase
,
matchesRegex
,
matchesValue
,
punctuation
,
replacePattern
,
replaceString
,
splitByPattern
,
splitString
,
startsWith
,
stringLength
,
substring
,
trim
,
unescape
,
unescapeHtml
,
upper
Functions — Time
formatTimestamp
,
getDayOfMonth
,
getDayOfWeek
,
getDayOfYear
,
getHour
,
getMinute
,
getMonth
,
getSecond
,
getWeekOfYear
,
getYear
,
now
,
unixMillisFromTimestamp
,
unixNanosFromTimestamp
,
unixSecondsFromTimestamp
Functions — Time series aggregation for metrics
avg
,
count
,
countDistinct
,
end
,
max
,
median
,
min
,
percentRank
,
percentile
,
start
,
sum
Syntax Pitfalls
❌ Wrong
✅ Right
Issue
filter field in ["a", "b"]
filter in(field, "a", "b")
No array literal syntax
by: severity, status
by: {severity, status}
Multiple grouping fields require curly braces
contains(toLowercase(field), "err")
contains(lower(field), "err")
or
contains(field, "err", caseSensitive: false)
There's no function for
toLowerCase
in DQL
filter name == "serv9"
filter contains(name, "serv")
Mid-string wildcards not allowed; use
contains()
matchesValue(field, "prod")
on string field
contains(field, "prod")
matchesValue()
is for array fields only
toLowercase(field)
lower(field)
The correct function in DQL is called
lower
arrayAvg(field[])
or
arraySum(field[])
arrayAvg(field)
or
field[]
field[]
= element-wise (array→array);
arrayAvg(field)
= collapse to scalar. Never mix both.
my_field
after
lookup
or
join
lookup.my_field
/
right.my_field
lookup
prefixes fields with
lookup.
;
join
prefixes right-side fields with
right.
Chained
lookup
losing fields
fieldsRename
between lookups
Each
lookup
removes all existing
lookup.
fields
. Rename after each lookup to preserve results (see below)
substring(field, 0, 200)
substring(field, from: 0, to: 200)
DQL functions use
named parameters
— positional args cause
TOO_MANY_POSITIONAL_PARAMETERS
filter log.level == "ERROR"
filter loglevel == "ERROR"
Log severity field is
loglevel
(no dot) —
log.level
does not exist
sort count() desc
sort count() desc
fields with special characters must use backticks
Fetch Command → Data Model
Each data model has a specific fetch command — using the wrong one returns no results.
Fetch Command
Data Model
Key Fields / Notes
fetch spans
Distributed tracing
span.
,
service.
,
http.
,
db.
,
code.
,
exception.
fetch logs
Log events
log.
,
k8s.
,
host.
— message body is
content
, severity is
loglevel
(NOT
log.level
)
fetch events
Davis / infra events
event.
,
dt.smartscape.
fetch bizevents
Business events
event.
, custom fields
fetch securityEvents
Security events
vulnerability.
,
event.
fetch usersessions
RUM sessions
dt.rum.
,
browser.
,
geo.
timeseries
Metrics
NOT
fetch
— uses
timeseries avg(metric.key)
syntax
Legacy compatibility:
dt.entity.
still works in older queries, but it is deprecated. Use
dt.smartscape.
and
smartscapeNodes
for all new queries.
Metric-key note: keys containing
hyphens
are parsed as subtraction. Use backticks, for example:
timeseries sum(my.metric-name)
.
→ Full field namespace reference:
references/semantic-dictionary.md
Data Objects
DQL queries start with
fetch count() desc
There is
no
fetch dt.metric
or
fetch dt.metrics
— those data objects do not exist.
Entity Field Patterns
Entity fields in DQL are scoped to specific entity types — not universal like SQL columns.
entity.id
does not exist
— use a typed field such as
dt.smartscape.host
.
Entity
ID field
Host
dt.smartscape.host
Service
dt.smartscape.service
Process
dt.smartscape.process
Kubernetes cluster
dt.smartscape.k8s_cluster
For topology traversal and relationships, use
smartscapeNodes
instead of
fetch
.
Smartscape Entity Patterns
Use
smartscapeNodes
for topology queries. Node types are uppercase strings and differ from field names.
Entity
Field name
smartscapeNodes
type
Host
dt.smartscape.host
"HOST"
Service
dt.smartscape.service
"SERVICE"
K8s cluster
dt.smartscape.k8s_cluster
"K8S_CLUSTER"
Use
toSmartscapeId()
for ID conversion from strings (required!).
→
references/smartscape-topology-navigation.md
matchesValue() Usage
Use
matchesValue()
for
array fields
such as
dt.tags
:
| filter matchesValue(dt.tags, "env:production")
Not
for string fields with special characters — use
contains()
for those
matchesValue()
on a scalar string field does not behave like a wildcard or fuzzy match
Chained Lookup Pattern
Each
lookup
command
removes all existing fields starting with
lookup.
before adding new ones. When chaining multiple lookups, use
fieldsRename
after each to preserve the result:
fetch bizevents
// Step 1: First lookup — enrich orders with product info
| lookup [fetch bizevents
| filter event.type == "product_catalog"
| fields product_id, category],
sourceField: product_id, lookupField: product_id
// Step 2: Rename BEFORE next lookup — or lookup.category gets wiped
| fieldsRename product_category = lookup.category
// Step 3: Second lookup — lookup.
dt-dql-essentials
安装
npx skills add https://github.com/dynatrace/dynatrace-for-ai --skill dt-dql-essentials