Platform
Solution
Industry
Role
There is no result.

Logs Query Tracking

Last updated - 19 August, 2025

Query tracking schedules the saved log query to run at five minute intervals and collects metrics each time the query runs. These time-series metric datapoints are saved for each tracked query instance and added to the Log Tracked Queries resource group.

Query tracking is useful for example to for usage monitoring to track counts for specific logs. The tracking feature creates an instance which will contain data from one year of searching. You can create dashboards and configure alerts for anomalies and events based on these metrics.

Note: Query Tracking is only available if you have the feature enabled for your account. When query tracking is enabled, all users in your account will have access to the feature as long as they have permissions to view the Logs Tracked Queries resource. For more information, contact your Customer Success Manager.

Enabling Tracking for a Saved Query

After you save a log query, you can enable tracking for a basic or for an aggregate query. Tracking is available only for the saved queries.

log query tracking page

Do the following to track a saved query:

  1. Run your filtering query and save it as a new view.
  2. Select Saved Views and search for the saved query. 
  3. Select the query tracking icon to enable tracking of the selected query.
  4. Select Track query to confirm.

For a simple query, once tracking is enabled, a new datasource instance is created to track the results of the query at five minute intervals. The following metrics are collected:

  • A count of the matched logs.
  • A count of the anomalies in the matched logs.

These metrics are saved to the tracked query instance in the resource group Log Tracked Queries. You can view the information in the resources’s Raw Data tab.

LM logs tracked queries raw data

When you enable tracking for an aggregate query, LogicMonitor creates a dedicated DataSource to track the query results at five-minute intervals. For aggregate queries, the resulting datapoints are dynamic and depend on the fields returned by the query.

Datasource Instance of an aggregated query

Simple and Aggregate Query Examples

The following are the examples of datapoint names for the simple and aggregate query

  • Query* | avg(_size) as average, sum(_size) as sum, max(_size) as maximum
  • Datapointsaveragesummaximum

The following are the examples of simple and complex aggregate queries:

Query TypeQuery Example
Simple Aggregate Query_message ~ "Login Failure" | count,avg(_size),max(_size)
Complex Aggregate  Query"StatusCode"
| parse /StatusCode:(?<statusCode>\d+)/ as statusCode
| parse /Latency:(?<latency>\d+)ms/ as latency
| parse /Method:(?<method>\w+)/ as method
| avg(latency) as avg_latency_ms, count by statusCode, method
Additional Example of Complex Aggregate  Query* | count(_size), sum(_size) by _resource.name | num(_sum/1000000000) as GB | num(_sum/_count) as avg_size | sort by GB desc | limit 25

Disabling Tracking for a Saved Query

Do the following to untrack a query,

  1. Select the tracking icon on the tracked query. 
  2. Select Untrack to confirm.

Note the following when disabling query tracking:

  • New data will not be added to the tracked query instance.
  • The tracked query metrics will still be available for a period of time, unless the instance has been removed from the Log Tracked Queries resource group.  
  • If you enable tracking again on the query and the instance has not been deleted, it will update with new metrics. Otherwise, a new instance will be created for the new metrics.
  • When you re-enable tracking, the system updates the existing instance with new metrics as soon as it ingests the corresponding query logs. If the instance no longer exists, it creates a new one.

Updating a Tracked Query

If you change the search criteria of a query that is being tracked, the metrics before and after will be based on different searches. 

  • The update will be recorded in the audit log.
  • If the query is updated to be an aggregate query, tracking will be removed.

Deleting a Saved Query

If you delete a tracked saved query, scheduling of the query will stop. The tracked query metrics will still be available for a period of time, unless the instance has been removed from the Log Tracked Queries resource group.

Note: If a user is deleted, all the saved queries owned by the user will also be deleted.

Query Tracking Limits

LogicMonitor portal supports up to 300 tracked queries in total:

  • 250 tracked non-aggregate queries
  • 50 tracked aggregate queries

The limits for aggregate and non-aggregate queries are managed separately.

Note:

  • LogicMonitor creates up to 10 instances per polling interval for advanced aggregate queries.
  • Tracked query names must be 50 characters or fewer.
  • Tracked names cannot include whitespace. Valid characters: a–z, A–Z, 0–9, :, ., _, with an optional hyphen at the end.