Logs Query Tracking

Last updated - 11 November, 2025

Log Query Tracking enables you to automatically collect and monitor time-series metrics from your saved log queries. 

When tracking is enabled, LogicMonitor automatically runs your saved query every five minutes and captures the resulting metrics as datapoints. These datapoints are stored within a dedicated DataSource instance that LogicMonitor creates for you in a Log Tracked Queries resource group. From there, they are seamlessly displayed in graphs and dashboards, giving you real-time visibility into your system’s performance.

By using query tracking, you can gain ongoing insights into log patterns, such as login failures, error frequency, or traffic volume trends.

Tracked queries can generate either simple or aggregate datapoints, depending on the structure of your LMQL statement.

The following are the examples of datapoint names for the simple and aggregate query:

• Query: * | avg(_size) as average, sum(_size) as sum, max(_size) as maximum
• Datapoints: average, sum, maximum

The following are the examples of simple and complex aggregate queries:

Query Type	Query Example
Simple Aggregate Query	_message ~ "Login Failure" | count,avg(_size),max(_size)
Complex Aggregate  Query	"StatusCode" | parse /StatusCode:(?<statusCode>\d+)/ as statusCode | parse /Latency:(?<latency>\d+)ms/ as latency | parse /Method:(?<method>\w+)/ as method | avg(latency) as avg_latency_ms, count by statusCode, method
Additional Example of Complex Aggregate  Query	* | count(_size), sum(_size) by _resource.name | num(_sum/1000000000) as GB | num(_sum/_count) as avg_size | sort by GB desc | limit 25

Each query type produces dynamic datapoints that are stored in the corresponding tracked query instance. In addition, you can disable or delete tracked queries at any time if you no longer need to collect metrics.

Query Tracking Limits

The LogicMonitor portal supports up to 300 tracked queries total, including: 

• 250 non-aggregate queries
• 50 aggregate queries

These limits ensure that performance and resource utilization remain consistent when large numbers of queries are being tracked.

Each tracked query runs as a scheduled task within LogicMonitor’s DataSource framework, so these limits apply across your account’s total tracked queries.

Requirements for Tracking a Log Query

To create or manage a tracked query, you need the following:

1. You must have LM Logs licensing enabled for your account.
2. You must have Logs “View” permission.
3. You must have read access to at least one device or deviceless log.
4. The query must be saved before enabling tracking.
5. The query must return at least one groupable field for metrics to be collected.
6. Query tracking must be enabled for your account. For access, contact your Customer Success Manager.
7. Tracked query names must meet the following criteria:
   • Contain 50 characters or fewer.
   • Include only alphanumeric characters, colons (:), periods (.), and underscores (_), with an optional hyphen (-) at the end.
   • Contain no whitespace.

Enabling Tracking for a Saved Log Query

1. In LogicMonitor, navigate to Logs.
2. Select the Views dropdown and then select Manage Saved Filters.
3. In the panel, locate the saved query you want to track.
4. Select the More options .
5. Select Track query.
   
6. In the Track Query modal:
   • Review or update the Query name.
   • Confirm or modify the query expression.
     
7. Select Save to create the tracked query.

Disabling Tracking for a Saved Query

You can disable tracking if you no longer want LogicMonitor to collect metrics from a saved query.

When tracking is disabled, the query no longer runs on schedule. Existing data remains available for a limited time unless its instance is removed from the Log Tracked Queries group. If tracking is re-enabled, LogicMonitor resumes data collection on the existing instance or creates a new one.

To disable tracking, do the following:

1. In LogicMonitor, navigate to Logs.
2. Locate the tracked query in the Manage Saved Filters panel.
   
3. Switch off the Stop query tracking toggle.
4. In the dialog box, select Stop tracking.
   

Deleting a Saved Query

Deleting a saved query permanently removes it and any associated schedule.

When you delete a tracked query, LogicMonitor stops running the query and automatically deletes the corresponding tracked query instance. This means no new data is collected, and the associated DataSource instance is removed from the Tracked Queries group. If a user account is deleted, any saved queries owned by that user are also removed.

To delete a saved query, do the following:

1. In LogicMonitor, navigate to Logs.
2. Select the Views dropdown and then Manage Saved Filters.
3. Locate the saved query you want to delete.
4. Select the More options  next to the query.
   
5. Select Delete and confirm deletion.