Logs Query Tracking

Last updated - 26 January, 2026

Log Query Tracking enables you to automatically collect and monitor time-series metrics from your saved log queries. 

When tracking is enabled, LogicMonitor runs your saved query every five minutes and captures the resulting metrics as datapoints. These datapoints are stored within a dedicated DataSource instance that LogicMonitor creates for you in a Log Tracked Queries resource group. From there, they are seamlessly displayed in graphs and dashboards, giving you real-time visibility into your system’s performance.

By using query tracking, you can gain ongoing insights into log patterns, such as login failures, error frequency, or traffic volume trends.

Basic and Aggregate Queries

Understanding the difference between basic, simple aggregate, and complex aggregate queries is essential when designing tracked queries in LogicMonitor. Query classification is determined by the operations performed, not by syntax alone.

Tracked queries can generate either simple or aggregate datapoints, depending on the structure of your queries.

The following are the examples of datapoint names for the simple and aggregate query:

• Query: * | avg(_size) as average, sum(_size) as sum, max(_size) as maximum
• Datapoints: average, sum, maximum

The following table provides examples of each query types:

Query Type	Description	Query Example
Basic Query	A basic query evaluates individual log or metric records without calculating summary values across multiple records. These queries do not use aggregate functions such as count, avg, sum, min, max, or group by.	_message ~ “Login Failure” | parse /Method:(?<method>\w+)/ as method
Simple Aggregate Query	A simple aggregate query calculates summary values across all matching records without grouping results into multiple dimensions. These queries use aggregate functions but do not include a group by clause that creates multiple result sets.	_message ~ “Login Failure” | count,avg(_size),max(_size)
Complex Aggregate  Query	A complex aggregate query calculates summary values and groups results by one or more fields. These queries typically include parsing or transformation steps followed by aggregate functions combined with a group by clause, which can generate multiple instances per polling interval.	“StatusCode” | parse /StatusCode:(?<statusCode>\d+)/ as statusCode | parse /Latency:(?<latency>\d+)ms/ as latency | parse /Method:(?<method>\w+)/ as method | avg(latency) as avg_latency_ms, count by statusCode, method
Additional Example of Complex Aggregate  Query	The example demonstrates a complex aggregate query that groups results across multiple resource attributes and performs additional calculations on aggregated values, such as unit conversion and derived averages.	_resource.type=”Database” | count(_size), sum(_size) by system.tenant.identifier, _resource.vendor, _resource.name | num(_sum/1000000000) as GB | num(_sum/_count) as avg_size | sort by GB desc

Each query type produces dynamic datapoints that are stored in the corresponding tracked query instance. In addition, you can disable or delete tracked queries at any time if you no longer need to collect metrics.

Query Tracking Limits

LogicMonitor enforces query tracking limits to maintain predictable performance and consistent resource utilization across customer portals. These limits differ based on whether a query is non-aggregate or aggregate.

The LogicMonitor portal supports a maximum of 300 tracked queries per company, distributed as follows:

Non-aggregate queries

• One shared DataSource
• Up to 250 instances, where each instance represents one tracked query

Aggregate queries

• Up to 50 DataSources, with one DataSource per aggregate query
• Each aggregate DataSource supports:
  • A maximum of 50 total instances
  • Up to 10 group-by results per polling interval
  • A maximum of 10 new instances created per poll, capped at 50 instances per DataSource
• 250 non-aggregate queries
• 50 aggregate queries

These limits ensure that performance and resource utilization remain consistent when large numbers of queries are being tracked.

Each tracked query runs as a scheduled task within LogicMonitor’s DataSource framework, so these limits apply across your account’s total tracked queries.

Requirements for Tracking a Log Query

To create or manage a tracked query, you need the following:

1. You must have LM Logs licensing enabled for your account.
2. You must have Logs “View” permission.
3. You must have read access to at least one device or deviceless log.
4. The query must be saved before enabling tracking.
5. The query must return at least one groupable field for metrics to be collected.
6. Query tracking must be enabled for your account. For access, contact your Customer Success Manager.
7. Tracked query names must meet the following criteria:
   • Contain 50 characters or fewer.
   • Include only alphanumeric characters, colons (:), periods (.), and underscores (_), with an optional hyphen (-) at the end.
   • Contain no whitespace.

Enabling Tracking for a Saved Log Query

1. In LogicMonitor, navigate to Logs.
2. Select the Views dropdown and then select Manage Saved Filters.
3. In the panel, locate the saved query you want to track.
4. Select the More options .
5. Select Track query.
   
6. In the Track Query modal:
   • Review or update the Query name.
   • Confirm or modify the query expression.
     
7. Select Save to create the tracked query.

Disabling Tracking for a Saved Query

You can disable tracking if you no longer want LogicMonitor to collect metrics from a saved query.

When tracking is disabled, the query no longer runs on schedule. Existing data remains available for a limited time unless its instance is removed from the Log Tracked Queries group. If tracking is re-enabled, LogicMonitor resumes data collection on the existing instance or creates a new one.

To disable tracking, do the following:

1. In LogicMonitor, navigate to Logs.
2. Locate the tracked query in the Manage Saved Filters panel.
   
3. Switch off the Stop query tracking toggle.
4. In the dialog box, select Stop tracking.
   

Deleting a Saved Query

Deleting a saved query permanently removes it and any associated schedule.

When you delete a tracked query, LogicMonitor stops running the query and automatically deletes the corresponding tracked query instance. This means no new data is collected, and the associated DataSource instance is removed from the Tracked Queries group. If a user account is deleted, any saved queries owned by that user are also removed.

To delete a saved query, do the following:

1. In LogicMonitor, navigate to Logs.
2. Select the Views dropdown and then Manage Saved Filters.
3. Locate the saved query you want to delete.
4. Select the More options  next to the query.
   
5. Select Delete and confirm deletion.