cx-rum

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

RUM Querying Skill

RUM查询技能

Query and analyze Coralogix Real User Monitoring data using the

cx logs

command with DataPrime syntax.

使用

cx logs

命令结合DataPrime语法查询和分析Coralogix真实用户监控数据。

Understanding RUM in Coralogix

了解Coralogix中的RUM

RUM captures real user interactions from browsers and mobile apps - errors, performance metrics, network requests, web vitals, and user interactions. RUM data is stored as regular logs in the

cx_rum

subsystem, queried with the same

cx logs

command and DataPrime syntax used for any other logs.

This means:

Metadata (
$m.*
) and labels (
$l.*
) work the same as regular logs - you can filter on timestamp, severity, etc.
User data (
$d.cx_rum.*
) contains all RUM-specific fields - event types, errors, sessions, web vitals, interactions, and more. See the RUM Fields Reference for the complete field catalog.
Session replay and session flows are not available - only individual RUM log events can be queried.

For general log querying concepts and field discovery, see the cx-query-logs
skill. For DataPrime query language syntax, see the cx-dataprime
skill.

RUM捕获来自浏览器和移动应用的真实用户交互数据——包括错误、性能指标、网络请求、Web Vitals和用户交互。RUM数据以常规日志形式存储在
cx_rum
子系统中，可以使用与其他日志相同的

cx logs

命令和DataPrime语法进行查询。

这意味着：

**元数据（
```
$m.*
```
）和标签（
```
$l.*
```
）**的使用方式与常规日志一致——你可以按时间戳、严重程度等进行过滤。
用户数据（
$d.cx_rum.*
）包含所有RUM特定字段——事件类型、错误、会话、Web Vitals、交互等。完整的字段目录请参阅RUM字段参考。
不支持会话重放和会话流——仅可查询单个RUM日志事件。

关于常规日志查询概念和字段发现，请参阅**

cx-query-logs

技能。关于DataPrime查询语言语法，请参阅

cx-dataprime

**技能。

CLI Command

CLI命令

bash

cx logs '<dataprime_query>'

The

source logs

prefix is automatically injected if the query doesn't already include a

source

command.

bash

cx logs '<dataprime_query>'

如果查询中未包含

source

命令，系统会自动注入

source logs

前缀。

Options

选项

Flag	Default	Description
`--start`	`now-1h`	Start time (ISO 8601 or relative, e.g. `now-7d` )
`--end`	`now`	End time
`--limit`	`100`	Maximum number of results
`--tier`	`frequent`	Storage tier: `frequent` or `archive`
`-o, --output`	`text`	Output format: `text` , `json` , or `agents`

Note: Use

--start now-7d

(or wider) for web vitals and page performance queries. Short time ranges produce unreliable percentiles - low-traffic pages have too few data points.

标识	默认值	描述
`--start`	`now-1h`	开始时间（ISO 8601格式或相对时间，例如 `now-7d` ）
`--end`	`now`	结束时间
`--limit`	`100`	最大结果数量
`--tier`	`frequent`	存储层级： `frequent` 或 `archive`
`-o, --output`	`text`	输出格式： `text` 、 `json` 或 `agents`

注意： 查询Web Vitals和页面性能数据时，请使用

--start now-7d

（或更长时间范围）。短时间范围会导致百分位数数据不可靠——低流量页面的数据点过少。

RUM Data Model

RUM数据模型

Identifying RUM Logs

识别RUM日志

Every RUM query must include

$l.subsystemname == 'cx_rum'

Application filtering in RUM uses dedicated fields -

$l.applicationname

does not map to the RUM application name:

bash

undefined

所有RUM查询必须包含

$l.subsystemname == 'cx_rum'

。

RUM中的应用过滤使用专用字段——

$l.applicationname

并不对应RUM应用名称：

bash

undefined

RUM application name

RUM应用名称

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.version_metadata.app_name == 'my-app'"

Micro-frontend app label

微前端应用标签

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.labels.mfeApp == 'my-app'"

WRONG - $l.applicationname is not the RUM application name

错误示例 - $l.applicationname不是RUM应用名称

cx logs "filter $l.subsystemname == 'cx_rum' && $l.applicationname == 'my-app'"

undefined

cx logs "filter $l.subsystemname == 'cx_rum' && $l.applicationname == 'my-app'"

undefined

Event Types

事件类型

Filter by

$d.cx_rum.event_context.type

Type	Description
`error`	Errors, unhandled exceptions, crashes (browser and mobile)
`resources`	Resource loading (scripts, images, CSS, fonts)
`network-request`	XHR/Fetch HTTP requests
`user-interaction`	Clicks, inputs, scrolls
`web-vitals`	Web Vitals: `LT` (Load Time), `LCP` , `FID` , `CLS` , `FCP` , `INP` , `TTFB` , `TBT`
`longtask`	Long tasks blocking the main thread
`life-cycle`	Page lifecycle events (load, unload, visibility)
`dom`	DOM mutations and changes
`log`	Console logs captured by the SDK
`custom-measurement`	Custom metrics sent by the app
`mobile-vitals`	Mobile-specific performance metrics

通过

$d.cx_rum.event_context.type

进行过滤：

类型	描述
`error`	错误、未处理异常、崩溃（浏览器和移动端）
`resources`	资源加载（脚本、图片、CSS、字体）
`network-request`	XHR/Fetch HTTP请求
`user-interaction`	点击、输入、滚动操作
`web-vitals`	Web Vitals指标： `LT` （加载时间）、 `LCP` 、 `FID` 、 `CLS` 、 `FCP` 、 `INP` 、 `TTFB` 、 `TBT`
`longtask`	阻塞主线程的长任务
`life-cycle`	页面生命周期事件（加载、卸载、可见性变化）
`dom`	DOM变更操作
`log`	SDK捕获的控制台日志
`custom-measurement`	应用发送的自定义指标
`mobile-vitals`	移动端特定性能指标

Key Fields

关键字段

All RUM fields live under

$d.cx_rum.*

. The most commonly used:

Context	Key Fields	Used For
`event_context`	`type` , `severity` (5 = error)	Filtering by event type and errors
`rum_template_id`	Error fingerprint	Grouping errors into distinct issues
`error_context`	`error_message` , `error_type` , `is_crash` , `original_stacktrace`	Error details
`session_context`	`user_id` , `session_id` , `browser` , `os` , `device` , `ip_geoip.*`	User/session identity
`version_metadata`	`app_name` , `app_version`	App filtering (use instead of `$l.applicationname` )
`page_context`	`page_url` , `page_fragments` (use for groupby)	Page identification
`network_request_context`	`url` , `fragments` , `method` , `status_code` , `duration`	HTTP request analysis
`web_vitals_context`	`name` , `value` , `rating`	Performance metrics
`interaction_context`	`target_element_inner_text` (use for groupby), `event_name`	Click/input analysis
`labels`	`mfeApp` , `mfeVersion`	Micro-frontend identification

For the complete field reference including resource context, mobile contexts, and all sub-fields, see RUM Fields Reference.

所有RUM字段都位于

$d.cx_rum.*

下，最常用的字段如下：

上下文	关键字段	用途
`event_context`	`type` 、 `severity` （5代表错误）	按事件类型和错误过滤
`rum_template_id`	错误指纹	将相似错误事件分组为不同问题
`error_context`	`error_message` 、 `error_type` 、 `is_crash` 、 `original_stacktrace`	错误详情
`session_context`	`user_id` 、 `session_id` 、 `browser` 、 `os` 、 `device` 、 `ip_geoip.*`	用户/会话身份识别
`version_metadata`	`app_name` 、 `app_version`	应用过滤（替代 `$l.applicationname` ）
`page_context`	`page_url` 、 `page_fragments` （用于分组）	页面识别
`network_request_context`	`url` 、 `fragments` 、 `method` 、 `status_code` 、 `duration`	HTTP请求分析
`web_vitals_context`	`name` 、 `value` 、 `rating`	性能指标分析
`interaction_context`	`target_element_inner_text` （用于分组）、 `event_name`	点击/输入操作分析
`labels`	`mfeApp` 、 `mfeVersion`	微前端识别

包含资源上下文、移动端上下文及所有子字段的完整字段参考，请参阅**RUM字段参考**。

Error Detection

错误检测

RUM errors can come from multiple event types (

error

network-request

custom-log

). The universal error marker is

event_context.severity == 5

, which applies regardless of event type.

The

rum_template_id

field groups similar error events into distinct issues - always group by it when analyzing errors, and filter out nulls:

bash

cx logs "filter \$l.subsystemname == 'cx_rum' && \$d.cx_rum.event_context.severity:num == 5 && \$d.cx_rum.rum_template_id != null | groupby \$d.cx_rum.rum_template_id aggregate count() as error_count, any_value(\$d.cx_rum.version_metadata.app_name) as app_name, any_value(\$d.cx_rum.event_context.type) as event_type, any_value(\$d.cx_rum.error_context.error_message) as error_message, any_value(\$d.cx_rum.network_request_context.method) as method, any_value(\$d.cx_rum.network_request_context.fragments) as url_fragments, any_value(\$d.cx_rum.network_request_context.status_code) as status_code, any_value(\$d.cx_rum.custom_log_context.message) as custom_log_message, distinct_count(\$d.cx_rum.session_context.user_id) as affected_users | orderby error_count desc" --start now-7d

Include

any_value()

for descriptive fields from all error types - irrelevant fields will be null. When composing error descriptions from grouped results, the relevant fields depend on the event type:

```
error
```
→
```
error_message
```

network-request

→

"<method> <url_fragments> (status <status_code>)"

```
custom-log
```
→
```
custom_log_context.message
```

RUM错误可来自多种事件类型（

error

、

network-request

、

custom-log

）。通用错误标记为

event_context.severity == 5

，适用于所有事件类型。

rum_template_id

字段将相似错误事件分组为不同问题——分析错误时务必按此字段分组，并过滤掉空值：

bash

cx logs "filter \$l.subsystemname == 'cx_rum' && \$d.cx_rum.event_context.severity:num == 5 && \$d.cx_rum.rum_template_id != null | groupby \$d.cx_rum.rum_template_id aggregate count() as error_count, any_value(\$d.cx_rum.version_metadata.app_name) as app_name, any_value(\$d.cx_rum.event_context.type) as event_type, any_value(\$d.cx_rum.error_context.error_message) as error_message, any_value(\$d.cx_rum.network_request_context.method) as method, any_value(\$d.cx_rum.network_request_context.fragments) as url_fragments, any_value(\$d.cx_rum.network_request_context.status_code) as status_code, any_value(\$d.cx_rum.custom_log_context.message) as custom_log_message, distinct_count(\$d.cx_rum.session_context.user_id) as affected_users | orderby error_count desc" --start now-7d

为所有错误类型的描述性字段使用

any_value()

——不相关字段将显示为空。从分组结果生成错误描述时，相关字段取决于事件类型：

```
error
```
→
```
error_message
```

network-request

→

"<method> <url_fragments> (状态码 <status_code>)"

```
custom-log
```
→
```
custom_log_context.message
```

Querying RUM Data

查询RUM数据

Essential Examples

基础示例

bash

undefined

bash

undefined

All RUM errors in the last 7 days

过去7天内的所有RUM错误

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.event_context.severity:num == 5" --start now-7d

Network request errors

网络请求错误

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.event_context.severity:num == 5 && $d.cx_rum.event_context.type == 'network-request' | groupby $d.cx_rum.rum_template_id aggregate count() as error_count, any_value($d.cx_rum.network_request_context.method) as method, any_value($d.cx_rum.network_request_context.fragments) as fragments, any_value($d.cx_rum.network_request_context.status_code) as status_code | orderby error_count desc" --start now-7d

Slow loading pages (LT p75)

加载缓慢的页面（LT p75分位数）

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.event_context.type == 'web-vitals' && $d.cx_rum.web_vitals_context.name == 'LT' | groupby $d.cx_rum.page_context.page_fragments aggregate distinct_count($d.cx_rum.session_context.user_id:string) as users, percentile(0.75, $d.cx_rum.web_vitals_context.value) as LT_p75_ms | orderby users desc" --start now-7d

User interactions on a page

某页面上的用户交互

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.event_context.type == 'user-interaction' && $d.cx_rum.page_context.page_fragments ~ '/some/page' && $d.cx_rum.interaction_context.target_element_inner_text != null && $d.cx_rum.interaction_context.target_element_inner_text != '' | groupby $d.cx_rum.interaction_context.target_element_inner_text aggregate count() as click_count, distinct_count($d.cx_rum.session_context.user_id) as unique_users | orderby click_count desc" --start now-7d

Affected users per error

每个错误影响的用户数

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.event_context.severity:num == 5 && $d.cx_rum.rum_template_id != null | groupby $d.cx_rum.rum_template_id aggregate distinct_count($d.cx_rum.session_context.user_id) as affected_users, count() as error_count, any_value($d.cx_rum.error_context.error_message) as error_message | orderby affected_users desc" --start now-7d

LCP by page

按页面统计LCP指标

cx logs "filter $l.subsystemname == 'cx_rum' && $d.cx_rum.event_context.type == 'web-vitals' && $d.cx_rum.web_vitals_context.name == 'LCP' | groupby $d.cx_rum.page_context.page_fragments aggregate percentile(0.75, $d.cx_rum.web_vitals_context.value) as LCP_p75_ms, count() as samples | orderby LCP_p75_ms desc" --start now-7d

undefined

undefined

Web Vitals Querying

Web Vitals查询

Web vitals use

percentile(0.75, ...)

for p75 values -

avg

is skewed by outliers. Use

$d.cx_rum.web_vitals_context.value

without

:num

cast.

Only query the specific vitals the user asks about. For "loading times" query

LT

, for "LCP" query

LCP

. Include all vitals only when the user explicitly asks for a full overview.

For multiple vitals in one query, use conditional

if()

inside percentile:

bash

cx logs "filter \$l.subsystemname == 'cx_rum' && \$d.cx_rum.event_context.type == 'web-vitals' | groupby \$d.cx_rum.page_context.page_fragments aggregate percentile(0.75, if(\$d.cx_rum.web_vitals_context.name == 'LT', \$d.cx_rum.web_vitals_context.value)) as LT_p75, percentile(0.75, if(\$d.cx_rum.web_vitals_context.name == 'LCP', \$d.cx_rum.web_vitals_context.value)) as LCP_p75" --start now-7d

Web Vitals指标使用

percentile(0.75, ...)

获取p75值——平均值会受异常值影响。使用

$d.cx_rum.web_vitals_context.value

时无需添加

:num

类型转换。

仅查询用户明确询问的特定指标。若用户问“加载时间”则查询

LT

，问“LCP”则查询

LCP

。仅当用户明确要求完整概览时，才包含所有指标。

如需在一个查询中获取多个指标，可在percentile中使用条件

if()

：

bash

cx logs "filter \$l.subsystemname == 'cx_rum' && \$d.cx_rum.event_context.type == 'web-vitals' | groupby \$d.cx_rum.page_context.page_fragments aggregate percentile(0.75, if(\$d.cx_rum.web_vitals_context.name == 'LT', \$d.cx_rum.web_vitals_context.value)) as LT_p75, percentile(0.75, if(\$d.cx_rum.web_vitals_context.name == 'LCP', \$d.cx_rum.web_vitals_context.value)) as LCP_p75" --start now-7d

User Interaction Querying

用户交互查询

User interaction queries should always aggregate results - raw interaction events are noisy. Group by

interaction_context.target_element_inner_text

(the button/link text the user sees), and filter out null/empty values.

Do not group by

target_element

(HTML tag like DIV, SPAN) or

target_selector

- these are not meaningful to users. The correct field prefix is

interaction_context

, not

user_interaction_context

用户交互查询应始终对结果进行聚合——原始交互事件数据噪音较大。按

interaction_context.target_element_inner_text

（用户看到的按钮/链接文本）分组，并过滤掉空值或空字符串。

不要按

target_element

（HTML标签如DIV、SPAN）或

target_selector

分组——这些对用户无实际意义。正确的字段前缀是

interaction_context

，而非

user_interaction_context

。

Network Requests

网络请求

Filter network requests by event type

$d.cx_rum.event_context.type == 'network-request'

. For failed requests, combine with

event_context.severity:num == 5

. Compose descriptions as

"<method> <fragments> (status <status_code>)"

通过事件类型

$d.cx_rum.event_context.type == 'network-request'

过滤网络请求。如需筛选失败请求，可结合

event_context.severity:num == 5

。描述格式应为

"<method> <fragments> (状态码 <status_code>)"

。

Page Performance

页面性能

Use the

LT

(Load Time) web vital for page loading time questions. Group by

$d.cx_rum.page_context.page_fragments

(not

page_url

), and include user count for context with

distinct_count($d.cx_rum.session_context.user_id:string) as users

回答页面加载时间相关问题时，使用

LT

（加载时间）Web Vitals指标。按

$d.cx_rum.page_context.page_fragments

（而非

page_url

）分组，并通过

distinct_count($d.cx_rum.session_context.user_id:string) as users

添加用户数量作为上下文信息。

Troubleshooting

故障排除

If a query returns no results, change one thing at a time:

Extend the time range:
```
--start now-7d
```
or
```
--start now-30d
```
Relax filters: remove the most restrictive condition
Verify field names: run a sample query with
```
-o json
```
to inspect actual fields
Try archive tier:
```
--tier archive --start now-30d
```
for older data

Note: Filtering by

cx_rum

fields will show only RUM/frontend logs and hide backend logs. This is expected when analyzing RUM data.

若查询无结果，请每次只修改一个条件：

扩大时间范围：使用
```
--start now-7d
```
或
```
--start now-30d
```
放宽过滤条件：移除最严格的过滤规则
验证字段名称：运行带
```
-o json
```
参数的示例查询，检查实际字段
尝试归档层级：使用
```
--tier archive --start now-30d
```
查询旧数据

注意： 按

cx_rum

字段过滤将仅显示RUM/前端日志，隐藏后端日志。这是分析RUM数据时的预期行为。

References

参考资料

RUM Fields Reference - Complete field reference for all RUM contexts (session, network, web vitals, mobile, etc.)
cx-query-logs
skill - General log querying, field discovery, investigation workflows, wildfind policy
cx-dataprime
skill - Full query language reference: commands, operators, aggregations, text extraction, type conversions

For inline DataPrime help:

bash

cx dataprime list                  # List all commands and functions
cx dataprime show filter           # Detailed help for a specific command

RUM字段参考 - 所有RUM上下文（会话、网络、Web Vitals、移动端等）的完整字段参考
cx-query-logs
技能 - 常规日志查询、字段发现、调查流程、wildfind策略
cx-dataprime
技能 - 完整查询语言参考：命令、运算符、聚合、文本提取、类型转换

如需DataPrime在线帮助：

bash

cx dataprime list                  # 列出所有命令和函数
cx dataprime show filter           # 查看特定命令的详细帮助

cx-rum

Original

Translation

RUM Querying Skill

RUM查询技能

Understanding RUM in Coralogix

了解Coralogix中的RUM

CLI Command

CLI命令

Options

选项

RUM Data Model

RUM数据模型

Identifying RUM Logs

识别RUM日志

RUM application name

RUM应用名称

Micro-frontend app label

微前端应用标签

WRONG - $l.applicationname is not the RUM application name

错误示例 - $l.applicationname不是RUM应用名称

Event Types

事件类型

Key Fields

关键字段

Error Detection

错误检测

Querying RUM Data

查询RUM数据

Essential Examples

基础示例

All RUM errors in the last 7 days

过去7天内的所有RUM错误

Network request errors

网络请求错误

Slow loading pages (LT p75)

加载缓慢的页面（LT p75分位数）

User interactions on a page

某页面上的用户交互

Affected users per error

每个错误影响的用户数

LCP by page

按页面统计LCP指标

Web Vitals Querying

Web Vitals查询

User Interaction Querying

用户交互查询

Network Requests

网络请求

Page Performance

页面性能

Troubleshooting

故障排除

References

参考资料

Related Skills

相关技能