dt-dql-essentials

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

DQL Essentials Skill

DQL基础技能

DQL is a pipeline-based query language. Queries chain commands with

to filter, transform, and aggregate data. DQL has unique syntax that differs from SQL — load this skill before writing any DQL query.

DQL是一种基于管道的查询语言。查询使用

连接命令来过滤、转换和聚合数据。DQL有着与SQL不同的独特语法——编写任何DQL查询前请先加载此技能。

Use Cases

使用场景

Use case	Reference
Useful expressions in DQL	references/useful-expressions.md
Smartscape topology navigation syntax and patterns	references/smartscape-topology-navigation.md
Dynatrace Semantic Dictionary: field namespaces, data models, stability levels, query patterns, and best practices	references/semantic-dictionary.md
Various applications of summarize and makeTimeseries commands	references/summarization.md
Operators (in, time alignment `@` )	references/operators.md
Array and timeseries manipulation (creation, modifications, use in filters) using DQL	references/iterative-expressions.md
Query optimization (filter early, time ranges, field selection, performance)	references/optimization.md

场景	参考文档
DQL常用表达式	references/useful-expressions.md
Smartscape拓扑导航语法与模式	references/smartscape-topology-navigation.md
Dynatrace语义字典：字段命名空间、数据模型、稳定性级别、查询模式与最佳实践	references/semantic-dictionary.md
summarize与makeTimeseries命令的各类应用	references/summarization.md
运算符（in、时间对齐运算符 `@` ）	references/operators.md
使用DQL进行数组与时间序列操作（创建、修改、在过滤器中使用）	references/iterative-expressions.md
查询优化（提前过滤、时间范围、字段选择、性能）	references/optimization.md

DQL Reference Index

DQL参考索引

Description	Items
Data Types	`array` , `binary` , `boolean` , `double` , `duration` , `long` , `record` , `string` , `timeframe` , `timestamp` , `uid`
Parameter Value Types	`bucket` , `dataObject` , `dplPattern` , `entityAttribute` , `entitySelector` , `entityType` , `enum` , `executionBlock` , `expressionTimeseriesAggregation` , `expressionWithConstantValue` , `expressionWithFieldAccess` , `fieldPattern` , `filePattern` , `identifierForAnyField` , `identifierForEdgeType` , `identifierForFieldOnRootLevel` , `identifierForNodeType` , `joinCondition` , `jsonPath` , `metricKey` , `metricTimeseriesAggregation` , `namelessDplPattern` , `nonEmptyExecutionBlock` , `prefix` , `primitiveValue` , `simpleIdentifier` , `tabularFileExisting` , `tabularFileNew` , `url`
Commands	`append` , `data` , `dedup` , `describe` , `expand` , `fetch` , `fields` , `fieldsAdd` , `fieldsFlatten` , `fieldsKeep` , `fieldsRemove` , `fieldsRename` , `fieldsSnapshot` , `fieldsSummary` , `filter` , `filterOut` , `join` , `joinNested` , `limit` , `load` , `lookup` , `makeTimeseries` , `metrics` , `parse` , `search` , `smartscapeEdges` , `smartscapeNodes` , `sort` , `summarize` , `timeseries` , `traverse`
Functions — Aggregation	`avg` , `collectArray` , `collectDistinct` , `correlation` , `count` , `countDistinct` , `countDistinctApprox` , `countDistinctExact` , `countIf` , `max` , `median` , `min` , `percentRank` , `percentile` , `percentileFromSamples` , `percentiles` , `stddev` , `sum` , `takeAny` , `takeFirst` , `takeLast` , `takeMax` , `takeMin` , `variance`
Functions — Array	`arrayAvg` , `arrayConcat` , `arrayCumulativeSum` , `arrayDelta` , `arrayDiff` , `arrayDistinct` , `arrayFirst` , `arrayFlatten` , `arrayIndexOf` , `arrayLast` , `arrayLastIndexOf` , `arrayMax` , `arrayMedian` , `arrayMin` , `arrayMovingAvg` , `arrayMovingMax` , `arrayMovingMin` , `arrayMovingSum` , `arrayPercentile` , `arrayRemoveNulls` , `arrayReverse` , `arraySize` , `arraySlice` , `arraySort` , `arraySum` , `arrayToString` , `vectorCosineDistance` , `vectorInnerProductDistance` , `vectorL1Distance` , `vectorL2Distance`
Functions — Bitwise	`bitwiseAnd` , `bitwiseCountOnes` , `bitwiseNot` , `bitwiseOr` , `bitwiseShiftLeft` , `bitwiseShiftRight` , `bitwiseXor`
Functions — Boolean	`exists` , `in` , `isFalseOrNull` , `isNotNull` , `isNull` , `isTrueOrNull` , `isUid128` , `isUid64` , `isUuid`
Functions — Cast	`asArray` , `asBinary` , `asBoolean` , `asDouble` , `asDuration` , `asIp` , `asLong` , `asNumber` , `asRecord` , `asSmartscapeId` , `asString` , `asTimeframe` , `asTimestamp` , `asUid`
Functions — Constant	`e` , `pi`
Functions — Conversion	`toArray` , `toBoolean` , `toDouble` , `toDuration` , `toIp` , `toLong` , `toSmartscapeId` , `toString` , `toTimeframe` , `toTimestamp` , `toUid` , `toVariant`
Functions — Create	`array` , `duration` , `ip` , `record` , `smartscapeId` , `timeframe` , `timestamp` , `timestampFromUnixMillis` , `timestampFromUnixNanos` , `timestampFromUnixSeconds` , `uid128` , `uid64` , `uuid`
Functions — Cryptographic	`hashCrc32` , `hashMd5` , `hashSha1` , `hashSha256` , `hashSha512` , `hashXxHash32` , `hashXxHash64`
Functions — Entities	`classicEntitySelector` , `entityAttr` , `entityName`
Functions — Time series aggregation for expressions	`avg` , `count` , `countDistinct` , `countDistinctApprox` , `countDistinctExact` , `countIf` , `end` , `max` , `median` , `min` , `percentRank` , `percentile` , `percentileFromSamples` , `start` , `sum`
Functions — Flow	`coalesce` , `if`
Functions — General	`jsonField` , `jsonPath` , `lookup` , `parse` , `parseAll` , `type`
Functions — Get	`arrayElement` , `getEnd` , `getHighBits` , `getLowBits` , `getStart`
Functions — Iterative	`iAny` , `iCollectArray` , `iIndex`
Functions — Mathematical	`abs` , `acos` , `asin` , `atan` , `atan2` , `bin` , `cbrt` , `ceil` , `cos` , `cosh` , `degreeToRadian` , `exp` , `floor` , `hexStringToNumber` , `hypotenuse` , `log` , `log10` , `log1p` , `numberToHexString` , `power` , `radianToDegree` , `random` , `range` , `round` , `signum` , `sin` , `sinh` , `sqrt` , `tan` , `tanh`
Functions — Network	`ipIn` , `ipIsLinkLocal` , `ipIsLoopback` , `ipIsPrivate` , `ipIsPublic` , `ipMask` , `isIp` , `isIpV4` , `isIpV6`
Functions — Smartscape	`getNodeField` , `getNodeName`
Functions — String	`concat` , `contains` , `decodeBase16ToBinary` , `decodeBase16ToString` , `decodeBase64ToBinary` , `decodeBase64ToString` , `decodeUrl` , `encodeBase16` , `encodeBase64` , `encodeUrl` , `endsWith` , `escape` , `getCharacter` , `indexOf` , `lastIndexOf` , `levenshteinDistance` , `like` , `lower` , `matchesPattern` , `matchesPhrase` , `matchesRegex` , `matchesValue` , `punctuation` , `replacePattern` , `replaceString` , `splitByPattern` , `splitString` , `startsWith` , `stringLength` , `substring` , `trim` , `unescape` , `unescapeHtml` , `upper`
Functions — Time	`formatTimestamp` , `getDayOfMonth` , `getDayOfWeek` , `getDayOfYear` , `getHour` , `getMinute` , `getMonth` , `getSecond` , `getWeekOfYear` , `getYear` , `now` , `unixMillisFromTimestamp` , `unixNanosFromTimestamp` , `unixSecondsFromTimestamp`
Functions — Time series aggregation for metrics	`avg` , `count` , `countDistinct` , `end` , `max` , `median` , `min` , `percentRank` , `percentile` , `start` , `sum`

描述	项
数据类型	`array` , `binary` , `boolean` , `double` , `duration` , `long` , `record` , `string` , `timeframe` , `timestamp` , `uid`
参数值类型	`bucket` , `dataObject` , `dplPattern` , `entityAttribute` , `entitySelector` , `entityType` , `enum` , `executionBlock` , `expressionTimeseriesAggregation` , `expressionWithConstantValue` , `expressionWithFieldAccess` , `fieldPattern` , `filePattern` , `identifierForAnyField` , `identifierForEdgeType` , `identifierForFieldOnRootLevel` , `identifierForNodeType` , `joinCondition` , `jsonPath` , `metricKey` , `metricTimeseriesAggregation` , `namelessDplPattern` , `nonEmptyExecutionBlock` , `prefix` , `primitiveValue` , `simpleIdentifier` , `tabularFileExisting` , `tabularFileNew` , `url`
命令	`append` , `data` , `dedup` , `describe` , `expand` , `fetch` , `fields` , `fieldsAdd` , `fieldsFlatten` , `fieldsKeep` , `fieldsRemove` , `fieldsRename` , `fieldsSnapshot` , `fieldsSummary` , `filter` , `filterOut` , `join` , `joinNested` , `limit` , `load` , `lookup` , `makeTimeseries` , `metrics` , `parse` , `search` , `smartscapeEdges` , `smartscapeNodes` , `sort` , `summarize` , `timeseries` , `traverse`
函数——聚合类	`avg` , `collectArray` , `collectDistinct` , `correlation` , `count` , `countDistinct` , `countDistinctApprox` , `countDistinctExact` , `countIf` , `max` , `median` , `min` , `percentRank` , `percentile` , `percentileFromSamples` , `percentiles` , `stddev` , `sum` , `takeAny` , `takeFirst` , `takeLast` , `takeMax` , `takeMin` , `variance`
函数——数组类	`arrayAvg` , `arrayConcat` , `arrayCumulativeSum` , `arrayDelta` , `arrayDiff` , `arrayDistinct` , `arrayFirst` , `arrayFlatten` , `arrayIndexOf` , `arrayLast` , `arrayLastIndexOf` , `arrayMax` , `arrayMedian` , `arrayMin` , `arrayMovingAvg` , `arrayMovingMax` , `arrayMovingMin` , `arrayMovingSum` , `arrayPercentile` , `arrayRemoveNulls` , `arrayReverse` , `arraySize` , `arraySlice` , `arraySort` , `arraySum` , `arrayToString` , `vectorCosineDistance` , `vectorInnerProductDistance` , `vectorL1Distance` , `vectorL2Distance`
函数——位运算类	`bitwiseAnd` , `bitwiseCountOnes` , `bitwiseNot` , `bitwiseOr` , `bitwiseShiftLeft` , `bitwiseShiftRight` , `bitwiseXor`
函数——布尔类	`exists` , `in` , `isFalseOrNull` , `isNotNull` , `isNull` , `isTrueOrNull` , `isUid128` , `isUid64` , `isUuid`
函数——类型转换类	`asArray` , `asBinary` , `asBoolean` , `asDouble` , `asDuration` , `asIp` , `asLong` , `asNumber` , `asRecord` , `asSmartscapeId` , `asString` , `asTimeframe` , `asTimestamp` , `asUid`
函数——常量类	`e` , `pi`
函数——格式转换类	`toArray` , `toBoolean` , `toDouble` , `toDuration` , `toIp` , `toLong` , `toSmartscapeId` , `toString` , `toTimeframe` , `toTimestamp` , `toUid` , `toVariant`
函数——创建类	`array` , `duration` , `ip` , `record` , `smartscapeId` , `timeframe` , `timestamp` , `timestampFromUnixMillis` , `timestampFromUnixNanos` , `timestampFromUnixSeconds` , `uid128` , `uid64` , `uuid`
函数——加密类	`hashCrc32` , `hashMd5` , `hashSha1` , `hashSha256` , `hashSha512` , `hashXxHash32` , `hashXxHash64`
函数——实体类	`classicEntitySelector` , `entityAttr` , `entityName`
函数——表达式时间序列聚合类	`avg` , `count` , `countDistinct` , `countDistinctApprox` , `countDistinctExact` , `countIf` , `end` , `max` , `median` , `min` , `percentRank` , `percentile` , `percentileFromSamples` , `start` , `sum`
函数——流程类	`coalesce` , `if`
函数——通用类	`jsonField` , `jsonPath` , `lookup` , `parse` , `parseAll` , `type`
函数——取值类	`arrayElement` , `getEnd` , `getHighBits` , `getLowBits` , `getStart`
函数——迭代类	`iAny` , `iCollectArray` , `iIndex`
函数——数学类	`abs` , `acos` , `asin` , `atan` , `atan2` , `bin` , `cbrt` , `ceil` , `cos` , `cosh` , `degreeToRadian` , `exp` , `floor` , `hexStringToNumber` , `hypotenuse` , `log` , `log10` , `log1p` , `numberToHexString` , `power` , `radianToDegree` , `random` , `range` , `round` , `signum` , `sin` , `sinh` , `sqrt` , `tan` , `tanh`
函数——网络类	`ipIn` , `ipIsLinkLocal` , `ipIsLoopback` , `ipIsPrivate` , `ipIsPublic` , `ipMask` , `isIp` , `isIpV4` , `isIpV6`
函数——Smartscape类	`getNodeField` , `getNodeName`
函数——字符串类	`concat` , `contains` , `decodeBase16ToBinary` , `decodeBase16ToString` , `decodeBase64ToBinary` , `decodeBase64ToString` , `decodeUrl` , `encodeBase16` , `encodeBase64` , `encodeUrl` , `endsWith` , `escape` , `getCharacter` , `indexOf` , `lastIndexOf` , `levenshteinDistance` , `like` , `lower` , `matchesPattern` , `matchesPhrase` , `matchesRegex` , `matchesValue` , `punctuation` , `replacePattern` , `replaceString` , `splitByPattern` , `splitString` , `startsWith` , `stringLength` , `substring` , `trim` , `unescape` , `unescapeHtml` , `upper`
函数——时间类	`formatTimestamp` , `getDayOfMonth` , `getDayOfWeek` , `getDayOfYear` , `getHour` , `getMinute` , `getMonth` , `getSecond` , `getWeekOfYear` , `getYear` , `now` , `unixMillisFromTimestamp` , `unixNanosFromTimestamp` , `unixSecondsFromTimestamp`
函数——指标时间序列聚合类	`avg` , `count` , `countDistinct` , `end` , `max` , `median` , `min` , `percentRank` , `percentile` , `start` , `sum`

Syntax Pitfalls

语法陷阱

❌ Wrong	✅ Right	Issue
`filter field in ["a", "b"]`	`filter in(field, "a", "b")`	No array literal syntax
`by: severity, status`	`by: {severity, status}`	Multiple grouping fields require curly braces
`contains(toLowercase(field), "err")`	`contains(lower(field), "err")` or `contains(field, "err", caseSensitive: false)`	There's no function for `toLowerCase` in DQL
`filter name == "serv9*"`	`filter contains(name, "serv")`	Mid-string wildcards not allowed; use `contains()`
`matchesValue(field, "prod")` on string field	`contains(field, "prod")`	`matchesValue()` is for array fields only
`toLowercase(field)`	`lower(field)`	The correct function in DQL is called `lower`
`arrayAvg(field[])` or `arraySum(field[])`	`arrayAvg(field)` or `field[]`	`field[]` = element-wise (array→array); `arrayAvg(field)` = collapse to scalar. Never mix both.
`my_field` after `lookup` or `join`	`lookup.my_field` / `right.my_field`	`lookup` prefixes fields with `lookup.` ; `join` prefixes right-side fields with `right.`
Chained `lookup` losing fields	`fieldsRename` between lookups	Each `lookup` removes all existing `lookup.*` fields. Rename after each lookup to preserve results (see below)
`substring(field, 0, 200)`	`substring(field, from: 0, to: 200)`	DQL functions use named parameters — positional args cause `TOO_MANY_POSITIONAL_PARAMETERS`
`filter log.level == "ERROR"`	`filter loglevel == "ERROR"`	Log severity field is `loglevel` (no dot) — `log.level` does not exist
`sort count() desc`	sort `count()` desc	fields with special characters must use backticks

❌ 错误写法	✅ 正确写法	问题说明
`filter field in ["a", "b"]`	`filter in(field, "a", "b")`	不支持数组字面量语法
`by: severity, status`	`by: {severity, status}`	多分组字段需要用大括号包裹
`contains(toLowercase(field), "err")`	`contains(lower(field), "err")` 或 `contains(field, "err", caseSensitive: false)`	DQL中没有 `toLowerCase` 函数
`filter name == "serv9*"`	`filter contains(name, "serv")`	不支持中间通配符，使用 `contains()` 替代
对字符串字段使用 `matchesValue(field, "prod")`	`contains(field, "prod")`	`matchesValue()` 仅适用于数组字段
`toLowercase(field)`	`lower(field)`	DQL中对应的正确函数是 `lower`
`arrayAvg(field[])` 或 `arraySum(field[])`	`arrayAvg(field)` 或 `field[]`	`field[]` = 逐元素运算（数组→数组）； `arrayAvg(field)` = 聚合为标量。禁止混合使用两者。
`lookup` 或 `join` 后直接使用 `my_field`	`lookup.my_field` / `right.my_field`	`lookup` 返回的字段会加上 `lookup.` 前缀； `join` 右表返回的字段会加上 `right.` 前缀
链式 `lookup` 丢失字段	在两次lookup之间使用 `fieldsRename`	每次 `lookup` 会清除所有已存在的 `lookup.*` 字段。每次lookup后重命名字段可保留结果（见下文）
`substring(field, 0, 200)`	`substring(field, from: 0, to: 200)`	DQL函数使用命名参数——位置参数会报 `TOO_MANY_POSITIONAL_PARAMETERS` 错误
`filter log.level == "ERROR"`	`filter loglevel == "ERROR"`	日志级别字段是 `loglevel` （无点）—— `log.level` 不存在
`sort count() desc`	sort `count()` desc	包含特殊字符的字段需要用反引号包裹

Fetch Command → Data Model

Fetch命令对应的数据模型

Each data model has a specific fetch command — using the wrong one returns no results.

Fetch Command	Data Model	Key Fields / Notes
`fetch spans`	Distributed tracing	`span.` , `service.` , `http.` , `db.` , `code.` , `exception.`
`fetch logs`	Log events	`log.` , `k8s.` , `host.*` — message body is `content` , severity is `loglevel` (NOT `log.level` )
`fetch events`	Davis / infra events	`event.` , `dt.smartscape.`
`fetch bizevents`	Business events	`event.*` , custom fields
`fetch securityEvents`	Security events	`vulnerability.` , `event.`
`fetch usersessions`	RUM sessions	`dt.rum.` , `browser.` , `geo.*`
`timeseries`	Metrics	NOT `fetch` — uses `timeseries avg(metric.key)` syntax

Legacy compatibility:

dt.entity.*

still works in older queries, but it is deprecated. Use

dt.smartscape.*

and

smartscapeNodes

for all new queries.

Metric-key note: keys containing hyphens are parsed as subtraction. Use backticks, for example:

timeseries sum(`my.metric-name`)

→ Full field namespace reference: references/semantic-dictionary.md

每个数据模型都有对应的fetch命令——使用错误的命令会返回空结果。

Fetch命令	数据模型	关键字段/说明
`fetch spans`	分布式追踪	`span.` , `service.` , `http.` , `db.` , `code.` , `exception.`
`fetch logs`	日志事件	`log.` , `k8s.` , `host.*` — 消息体为 `content` ，级别为 `loglevel` （不是 `log.level` ）
`fetch events`	Davis / 基础设施事件	`event.` , `dt.smartscape.`
`fetch bizevents`	业务事件	`event.*` , 自定义字段
`fetch securityEvents`	安全事件	`vulnerability.` , `event.`
`fetch usersessions`	RUM会话	`dt.rum.` , `browser.` , `geo.*`
`timeseries`	指标	不使用 `fetch` — 采用 `timeseries avg(metric.key)` 语法

旧版兼容：

dt.entity.*

在旧查询中仍然可用，但已废弃。所有新查询请使用

dt.smartscape.*

和

smartscapeNodes

。

指标key注意事项：包含连字符的key会被解析为减法运算。请使用反引号包裹，例如：

timeseries sum(`my.metric-name`)

。

→ 完整字段命名空间参考：references/semantic-dictionary.md

Data Objects

数据对象

DQL queries start with

fetch <data_object>

timeseries

. There is no
fetch dt.metric
or

fetch dt.metrics

— metrics are queried with

timeseries

Core data objects for
fetch
:

Data Object	Description
`logs`	Log entries
`spans`	Distributed traces / spans
`events`	Platform events
`bizevents`	Business events
`user.events`	RUM individual events (page views, clicks, requests, errors)
`user.sessions`	RUM session-level aggregates
`user.replays`	Session replay recordings
`security.events`	Security events
`application.snapshots`	Application snapshots
`dt.smartscape.<type>`	Smartscape entity fields (e.g., `dt.smartscape.host` , `dt.smartscape.service` )
`dt.davis.problems`	DAVIS-detected problems
`dt.davis.events`	DAVIS events

Metrics — use

timeseries

, not

fetch

dql

timeseries cpu = avg(dt.host.cpu.usage), by: {dt.smartscape.host}

Topology — use

smartscapeNodes

, not

fetch

dql

smartscapeNodes "HOST"

Discover available data objects:

dql

fetch dt.system.data_objects | fields name, display_name, type

DQL查询以

fetch <data_object>

或

timeseries

开头。不存在
fetch dt.metric
或
fetch dt.metrics
— 指标使用

timeseries

查询。

fetch
支持的核心数据对象：

数据对象	描述
`logs`	日志条目
`spans`	分布式追踪/span
`events`	平台事件
`bizevents`	业务事件
`user.events`	RUM单事件（页面访问、点击、请求、错误）
`user.sessions`	RUM会话级别聚合
`user.replays`	会话回放录制
`security.events`	安全事件
`application.snapshots`	应用快照
`dt.smartscape.<type>`	Smartscape实体字段（例如 `dt.smartscape.host` 、 `dt.smartscape.service` ）
`dt.davis.problems`	DAVIS检测到的问题
`dt.davis.events`	DAVIS事件

指标 — 使用

timeseries

，不要用

fetch

：

dql

timeseries cpu = avg(dt.host.cpu.usage), by: {dt.smartscape.host}

拓扑 — 使用

smartscapeNodes

，不要用

fetch

：

dql

smartscapeNodes "HOST"

查找可用数据对象：

dql

fetch dt.system.data_objects | fields name, display_name, type

Metric Discovery

指标查找

To search for available metrics by keyword, use

metric.series

dql

fetch metric.series, from: now() - 1h
| filter contains(metric.key, "replay")
| summarize count(), by: {metric.key}
| sort `count()` desc

There is no
fetch dt.metric
or

fetch dt.metrics

— those data objects do not exist.

要按关键词搜索可用指标，使用

metric.series

：

dql

fetch metric.series, from: now() - 1h
| filter contains(metric.key, "replay")
| summarize count(), by: {metric.key}
| sort `count()` desc

不存在
fetch dt.metric
或
fetch dt.metrics
— 这些数据对象不存在。

Entity Field Patterns

实体字段模式

Entity fields in DQL are scoped to specific entity types — not universal like SQL columns.

```
entity.id
```
does not exist — use a typed field such as
```
dt.smartscape.host
```
.

Entity	ID field
Host	`dt.smartscape.host`
Service	`dt.smartscape.service`
Process	`dt.smartscape.process`
Kubernetes cluster	`dt.smartscape.k8s_cluster`

For topology traversal and relationships, use
```
smartscapeNodes
```
instead of
```
fetch
```
.

DQL中的实体字段属于特定实体类型——不像SQL列那样通用。

```
entity.id
```
不存在 — 使用类型化字段，例如
```
dt.smartscape.host
```
。

实体	ID字段
主机	`dt.smartscape.host`
服务	`dt.smartscape.service`
进程	`dt.smartscape.process`
Kubernetes集群	`dt.smartscape.k8s_cluster`

拓扑遍历和关系查询请使用
```
smartscapeNodes
```
，不要用
```
fetch
```
。

Smartscape Entity Patterns

Smartscape实体模式

Use

smartscapeNodes

for topology queries. Node types are uppercase strings and differ from field names.

Entity	Field name	`smartscapeNodes` type
Host	`dt.smartscape.host`	`"HOST"`
Service	`dt.smartscape.service`	`"SERVICE"`
K8s cluster	`dt.smartscape.k8s_cluster`	`"K8S_CLUSTER"`

Use

toSmartscapeId()

for ID conversion from strings (required!).

→ references/smartscape-topology-navigation.md

拓扑查询使用

smartscapeNodes

。节点类型是大写字符串，与字段名不同。

实体	字段名	`smartscapeNodes` 类型
主机	`dt.smartscape.host`	`"HOST"`
服务	`dt.smartscape.service`	`"SERVICE"`
K8s集群	`dt.smartscape.k8s_cluster`	`"K8S_CLUSTER"`

从字符串转换ID请使用

toSmartscapeId()

（必须使用！）。

→ references/smartscape-topology-navigation.md

matchesValue() Usage

matchesValue()用法

Use

matchesValue()

for array fields such as

dt.tags

dql

| filter matchesValue(dt.tags, "env:production")

Not for string fields with special characters — use
```
contains()
```
for those
```
matchesValue()
```
on a scalar string field does not behave like a wildcard or fuzzy match

matchesValue()

用于数组字段，例如

dt.tags

：

dql

| filter matchesValue(dt.tags, "env:production")

不要用于带特殊字符的字符串字段——这类场景使用
```
contains()
```
对标量字符串字段使用
```
matchesValue()
```
不会实现通配符或模糊匹配效果

Chained Lookup Pattern

链式Lookup模式

Each

lookup

command removes all existing fields starting with
lookup.
before adding new ones. When chaining multiple lookups, use

fieldsRename

after each to preserve the result:

dql

fetch bizevents
// Step 1: First lookup — enrich orders with product info
| lookup [fetch bizevents
    | filter event.type == "product_catalog"
    | fields product_id, category],
  sourceField: product_id, lookupField: product_id

// Step 2: Rename BEFORE next lookup — or lookup.category gets wiped
| fieldsRename product_category = lookup.category

// Step 3: Second lookup — lookup.* is now clean for new results
| lookup [fetch bizevents
    | filter event.type == "warehouse_stock"
    | fields category, warehouse_region],
  sourceField: product_category, lookupField: category

// Both product_category and lookup.warehouse_region are available

Without the
fieldsRename
, the second
lookup
silently drops the first lookup's results — producing empty fields and collapsed aggregations.

每个

lookup

命令在添加新字段前会清除所有已存在的以
lookup.
开头的字段。链式调用多个lookup时，每次调用后使用

fieldsRename

保留结果：

dql

fetch bizevents
// 步骤1：第一次lookup — 为订单补充产品信息
| lookup [fetch bizevents
    | filter event.type == "product_catalog"
    | fields product_id, category],
  sourceField: product_id, lookupField: product_id

// 步骤2：下一次lookup前重命名 — 否则lookup.category会被清除
| fieldsRename product_category = lookup.category

// 步骤3：第二次lookup — lookup.*前缀现在为空，可以存储新结果
| lookup [fetch bizevents
    | filter event.type == "warehouse_stock"
    | fields category, warehouse_region],
  sourceField: product_category, lookupField: category

// product_category和lookup.warehouse_region都可正常访问

如果不使用
fieldsRename
，第二次
lookup
会静默删除第一次lookup的结果——导致字段为空、聚合异常。

makeTimeseries Command

makeTimeseries命令

makeTimeseries

converts event-based data (logs, spans, bizevents) into a time-bucketed metric series. It is not the same as the

timeseries

command —

timeseries

queries pre-ingested metric data;

makeTimeseries

builds a series from signals in a pipeline.

Basic syntax:

dql

fetch logs
| makeTimeseries count = count(), by: {loglevel}, interval: 5m

Key parameters:

Parameter	Required	Description
`<agg> = <expr>`	Yes	Aggregation to compute per bucket (e.g. `count()` , `avg(duration)` )
`interval:`	No	Bucket size — e.g. `1m` , `5m` , `1h`
`by:`	No	Optional grouping dimensions (same `{}` syntax as `summarize` )
`from:` / `to:`	No	Explicit time range; defaults to the query timeframe
`bins:`	No	Number of time buckets (alternative to `interval:` )
`time:`	No	Field to use as the timestamp; defaults to `timestamp`
`spread:`	No	Timeframe expression for bucket calculation; alternative to `time:` , only works with `count` or `countIf`
`nonempty:`	No	Boolean; when `true` , fills missing time buckets with null instead of omitting them

→ Full formal parameter specification: references/dql/dql-commands.md

Example — error rate timeseries from logs:

dql

fetch logs
| makeTimeseries
    total = count(),
    errors = countIf(loglevel == "ERROR"),
    interval: 5m,
    by: {k8s.cluster.name}
| fieldsAdd error_rate = errors / total * 100

Example — entity existence timeline using
spread:
:

dql

smartscapeNodes "HOST"
| makeTimeseries concurrently_existing_hosts = count(), spread: lifetime

spread: lifetime

distributes each host's count across the timeframe it existed, producing a series that shows how many hosts were alive at any point in time.

→ references/iterative-expressions.md for timeseries array manipulation

makeTimeseries

将基于事件的数据（日志、span、业务事件）转换为按时间桶聚合的指标序列。它和

timeseries

命令不是同一个功能：

timeseries

查询已摄入的指标数据；

makeTimeseries

从管道中的信号构建序列。

基础语法：

dql

fetch logs
| makeTimeseries count = count(), by: {loglevel}, interval: 5m

核心参数：

参数	是否必填	描述
`<agg> = <expr>`	是	每个时间桶要计算的聚合（例如 `count()` 、 `avg(duration)` ）
`interval:`	否	时间桶大小 — 例如 `1m` 、 `5m` 、 `1h`
`by:`	否	可选分组维度（与 `summarize` 使用相同的 `{}` 语法）
`from:` / `to:`	否	显式时间范围；默认使用查询的时间范围
`bins:`	否	时间桶数量（ `interval:` 的替代参数）
`time:`	否	用作时间戳的字段；默认使用 `timestamp`
`spread:`	否	时间桶计算的时间范围表达式；是 `time:` 的替代参数，仅适用于 `count` 或 `countIf`
`nonempty:`	否	布尔值；为 `true` 时，缺失的时间桶会填充null而非直接忽略

→ 完整正式参数说明：references/dql/dql-commands.md

示例 — 从日志生成错误率时间序列：

dql

fetch logs
| makeTimeseries
    total = count(),
    errors = countIf(loglevel == "ERROR"),
    interval: 5m,
    by: {k8s.cluster.name}
| fieldsAdd error_rate = errors / total * 100

示例 — 使用
spread:
生成实体存在时间线：

dql

smartscapeNodes "HOST"
| makeTimeseries concurrently_existing_hosts = count(), spread: lifetime

spread: lifetime

会将每个主机的计数分布到它存在的整个时间范围，生成的序列可以展示任意时间点在线的主机数量。

→ 时间序列数组操作参考references/iterative-expressions.md

Timeframe Specification

时间范围规范

Access to data requires specification of a timeframe. It can be specified in the UI, as REST API parameters, or in a DQL query explicitly using a pair of parameters:

from:

and

to:

(if one is omitted it defaults to

now()

), or alternatively using a single

timeframe:

parameter. Timeframe can be expressed using absolute values or relative expressions vs. current time. The time alignment operator (

) can be used to round timestamps to time unit boundaries — see references/operators.md for full details.

访问数据需要指定时间范围。可以在UI中指定，作为REST API参数传递，或者在DQL查询中显式使用一对参数

from:

和

to:

（如果省略其中一个，默认值为

now()

），也可以使用单个

timeframe:

参数替代。时间范围可以使用绝对值表示，也可以使用相对于当前时间的表达式表示。时间对齐运算符（

）可用于将时间戳对齐到时间单位边界——完整说明见references/operators.md。

Examples

示例

dql

from:now()-1h@h, to:now()@h     // last complete hour

dql

from:now()-1d@d, to:now()@d     // yesterday complete

dql

from:now()@M                    // this month so far, till now

dql

from:now()-2h@h                 // go back 2 hours, then align to hour boundary

dql

from:now()-1h@h, to:now()@h     // 上一个完整小时

dql

from:now()-1d@d, to:now()@d     // 完整的昨天

dql

from:now()@M                    // 本月至今

dql

from:now()-2h@h                 // 回退2小时，然后对齐到小时边界

Absolute timestamps

绝对时间戳

Use ISO 8601 format:

dql

from:"2024-01-15T08:00:00Z", to:"2024-01-15T09:00:00Z"

使用ISO 8601格式：

dql

from:"2024-01-15T08:00:00Z", to:"2024-01-15T09:00:00Z"

Modifying Time

时间处理

Key concepts

核心概念

DQL has 3 specialized types related to time:
- timestamp — internally kept as number of nanoseconds since epoch, but exposed as date/time in a particular timezone
- timeframe — a pair of 2 timestamps (start and end)
- duration — internally kept as number of nanoseconds, but exposed as duration scaled to a reasonable factor (e.g. ms, minutes, days)

DQL有3种与时间相关的专用类型：
- timestamp — 内部存储为纪元以来的纳秒数，但在特定时区下展示为日期/时间
- timeframe — 包含2个timestamp的对（开始和结束）
- duration — 内部存储为纳秒数，但展示为缩放后的合理单位（例如ms、分钟、天）

Rules

规则

Subtracting timestamps yields a duration:
```
timestamp - timestamp → duration
```
Duration divided by duration yields a double: e.g.
```
2h / 1m
```
=
```
120.0
```
Scalar times duration yields a duration: e.g.
```
no_of_h * 1h → duration
```
For extraction of time elements (hours, days of month, etc):
- ✅ Use time functions. They support calendar and time zones properly including DST.
- ❌ Avoid using
```
formatTimestamp
```
  for extracting time components.
- ❌ Avoid converting timestamps and durations to double/long and using division, modulo, and constants expressing time units as nanoseconds.

timestamp相减得到duration：
```
timestamp - timestamp → duration
```
duration除以duration得到双精度浮点数：例如
```
2h / 1m
```
=
```
120.0
```
标量乘以duration得到duration：例如
```
no_of_h * 1h → duration
```
提取时间元素（小时、当月日期等）：
- ✅ 使用时间函数。它们完美支持日历和时区，包括夏令时。
- ❌ 不要使用
```
formatTimestamp
```
  提取时间组件。
- ❌ 不要将timestamp和duration转换为double/long类型，再通过除法、取模和纳秒级时间单位常量进行计算。

References

参考文档

references/useful-expressions.md — Useful expressions in DQL
references/semantic-dictionary.md — Dynatrace Semantic Dictionary: field namespaces, data models, stability levels, query patterns, and best practices
references/summarization.md — Various applications of summarize and makeTimeseries commands
references/operators.md — Operators:
```
in
```
comparison and
```
@
```
time alignment
references/iterative-expressions.md — Array and timeseries manipulation (creation, modifications, use in filters) using DQL
references/smartscape-topology-navigation.md — Smartscape topology navigation syntax and patterns
references/optimization.md — DQL query optimization: filter placement, time ranges, field selection, and performance best practices
references/dql/ — Formal DQL 1.0 specification: commands, functions, data types, and parameter types

references/useful-expressions.md — DQL常用表达式
references/semantic-dictionary.md — Dynatrace语义字典：字段命名空间、数据模型、稳定性级别、查询模式与最佳实践
references/summarization.md — summarize与makeTimeseries命令的各类应用
references/operators.md — 运算符：
```
in
```
比较与
```
@
```
时间对齐
references/iterative-expressions.md — 使用DQL进行数组与时间序列操作（创建、修改、在过滤器中使用）
references/smartscape-topology-navigation.md — Smartscape拓扑导航语法与模式
references/optimization.md — DQL查询优化：过滤位置、时间范围、字段选择与性能最佳实践
references/dql/ — 正式DQL 1.0规范：命令、函数、数据类型与参数类型