DataPrime query
DataPrime is the second query syntax in Explore, alongside Builder. Use it when you need the precision and flexibility of DataPrime's pipeline syntax for filtering, transforming, and aggregating log data at scale.
Switch to DataPrime
Switch to DataPrime from within Explore:
- Open Explore.
- In the query bar, toggle the syntax switch from Builder to DataPrime.
The search bar is replaced by the DataPrime query editor. The editor opens pre-populated with source <dataset> for the active dataset, or with a translated form of your current Lucene query. Your time range and dataset selection are preserved.
Write a query
DataPrime uses a pipeline syntax: each step in the pipeline transforms or filters the data passed from the previous step. Start with a source statement, then chain operators with the | pipe character.
Example query — filter for errors and group by subsystem:
source logs
| filter $m.severity == ERROR
| groupby $l.subsystemname aggregate count() as error_count
| orderby $d.error_count desc
| limit 5
This query:
- Sources data from the
logsdataset. - Filters to log entries where severity is
ERROR(a Coralogix metadata enum — no quotes). - Groups the filtered logs by subsystem and counts them.
- Orders results by error count, highest first. Reference the alias
error_countas$d.error_count— it lives in the user-data namespace after the aggregation. - Limits results to the top 5 subsystems.
Spans use the same pipeline syntax with source spans. For example, top 5 services by average span duration:
source spans
| groupby $l.serviceName aggregate avg($m.duration) as avg_duration
| orderby $d.avg_duration desc
| limit 5
Use $d for user-data fields, $m for Coralogix metadata (severity, applicationname, subsystemname, timestamp, duration), and $l for user labels and OpenTelemetry semantic-convention attributes (serviceName, operationName, and so on). See the DataPrime documentation for the full namespace reference.
Lucene to DataPrime
Switching from Builder to DataPrime seeds the editor with a translated form of your Lucene query when one exists, otherwise with source <dataset> for the active dataset. The translation is structural, not semantic — review the result and adjust as needed.
DataPrime field references use a prefix notation: $d for log data fields, $m for metadata fields, and $l for user labels.
A confirmation dialog only appears when you leave a Builder-only context (Templates, Traces, Flows, or RED metrics). Its buttons are Cancel, Open DataPrime in new tab, and Convert to DataPrime. For a normal Logs tab in Lucene, the toggle switches without confirmation.
Switch back to the query builder
If you switch from DataPrime back to Builder without editing the DataPrime expression, Explore restores your original Builder filters, Grouped by, and Aggregation as they were before the switch — your Builder state remains intact.
If you edit the DataPrime expression and then switch back, Explore opens a Please note dialog with three options:
- Cancel: stay in DataPrime.
- Open Lucene in new tab: preserve the DataPrime query in the current tab and open a fresh tab in Builder.
- Discard query: return to Builder on the dataset's default empty state, discarding the DataPrime query.
The saved Builder state lives in the current tab only — refresh the page or open a new tab to clear it.
Work with results
DataPrime results appear in a single Results tab below the query editor. The tab header shows the row count next to its name (for example, Results 5).
On the spans dataset, the Highlights tab is the one Builder-mode view preserved when you switch to DataPrime — running a DataPrime query while on the Highlights tab keeps you on Highlights instead of dropping you to Results. The other spans views (Spans, Traces, Flows, RED metrics) collapse into the single Results tab.
Raw results
Queries without a groupby operator return individual log records — one row per matching log. Each row is expandable in place; expand a row to inspect its fields. Use the column headers to sort by any column.
Aggregated results
Queries with a groupby operator return one row per group. Columns include each grouping field and the aliased aggregation outputs — for example, subsystemname and error_count from the example above.
Chart visualizations
DataPrime doesn't render a chart above the Results table. Switch to Builder if you want a time-series chart, Visualize as selector, or interactive chart drilldown — DataPrime is text-only at the query level today.
Related resources
Next steps
Plot DataPrime results over time with the time-series chart.


