Graph / Log / Event / Observability Query Languages Family Index
type: language-family-index family: graph-log-event-query languages_catalogued: 26 tags: [language-reference, family-index, graph-query, observability, log-query, json-query, dsl]
Graph / Log / Event / Observability Query Languages — Family Index
Family overview
For roughly four decades SQL was the only query language anyone needed to know to be employable. The 2010s broke that monoculture in three places at once. Property-graph databases needed primitives SQL never had — variable-length path traversal, pattern matching with optional edges, returning subgraphs — so Cypher, Gremlin, SPARQL, and a half-dozen vendor dialects (AQL, nGQL, GSQL, PGQL) carved out the graph query niche. Observability stacks needed time-series-aware querying over high-cardinality structured events, which SQL was clumsy at; Splunk’s SPL pioneered the pipe-shaped log-query DSL in 2003 and Microsoft’s KQL, Grafana’s LogQL, NRQL, Datadog’s search bar, and Honeycomb’s query DSL all followed that template. Finally, the JSON-everywhere era made shell-pipeline JSON/YAML query a first-class concern, producing jq, yq, JMESPath, JSONPath, xq, and gron — small declarative DSLs that fit in a --query flag or a Unix pipeline.
The convergence story in 2024-2026 is real but partial. ISO/IEC 39075:2024 (GQL) finally ratified graph query as the second ISO query-language standard ever, alongside SQL — Cypher’s syntax won that bake-off. JSONPath was finalized as RFC 9535 in February 2024, ending 17 years of incompatible “JSONPath” implementations. KQL has spread far beyond its Azure Data Explorer roots and now powers Microsoft Sentinel, Defender XDR, Application Insights, Log Analytics, and Microsoft Fabric Real-Time Analytics — Microsoft is positioning it as “SQL for telemetry.”
Going the other direction, Elasticsearch’s JSON Query DSL has effectively replaced classical Lucene query syntax for any non-trivial query — Lucene syntax survives as the simple-string sublanguage embedded inside { "query_string": ... }. And Apache Pinot, Druid, and Doris have all consciously chosen ANSI-flavored SQL over inventing yet another DSL, betting that operator familiarity beats expressiveness for OLAP-on-streaming workloads.
In our deep library
None. This family has no dedicated reference note yet. Cross-reference query (the broader query-languages family index — covers Datalog, GraphQL, MQL, PromQL, LINQ, SQL dialects, and lighter coverage of Cypher/Gremlin/SPARQL/jq/JMESPath/KQL/LogQL), sql (the deep ANSI/ISO SQL reference plus five dialects — relevant because Pinot SQL, Druid SQL, and Doris SQL all inherit ANSI semantics), and config-and-dsl for adjacent embedded DSLs (CEL, Rego) that overlap with constrained query DSLs.
Tier 3 family table
| Language | First appeared | Origin | Domain | Status (2026) | URL |
|---|---|---|---|---|---|
| Cypher | 2011 | Neo4j | Property-graph pattern query | Dominant; reference syntax for ISO GQL | https://neo4j.com/docs/cypher-manual/current/ |
| openCypher | 2015 | openCypher consortium (Neo4j-led) | Vendor-neutral Cypher spec | Active; folded into ISO GQL | https://opencypher.org/ |
| ISO GQL | 2024 | ISO/IEC JTC 1/SC 32 | Standard graph query language | Newly ratified (ISO/IEC 39075:2024); first implementations shipping | https://www.iso.org/standard/76120.html |
| Gremlin | 2009 | Apache TinkerPop | Graph traversal DSL | Mature; supported by JanusGraph, Neptune, CosmosDB, ArangoDB | https://tinkerpop.apache.org/gremlin.html |
| SPARQL 1.1 | 2013 (W3C Rec) | W3C | RDF / triple-store query | Mature; backbone of Wikidata, DBpedia, life sciences linked data | https://www.w3.org/TR/sparql11-query/ |
| AQL (ArangoDB) | 2012 | ArangoDB GmbH | Multi-model (document + graph + key-value) | Active; SQL-shaped reads, FOR v, e IN OUTBOUND graph traversal | https://docs.arangodb.com/3.12/aql/ |
| nGQL | 2019 | NebulaGraph (Vesoft) | Distributed property-graph query | Active; Cypher-influenced syntax; NebulaGraph 3.x adds openCypher mode | https://docs.nebula-graph.io/3.8.0/3.ngql-guide/1.nGQL-overview/1.overview/ |
| GSQL | 2017 | TigerGraph | Turing-complete graph query | Active; SQL-like with procedural blocks; GQL-alignment in progress | https://docs.tigergraph.com/gsql-ref/current/intro/intro |
| PGQL | 2016 | Oracle | Property-graph SQL | Active in Oracle stack; influenced GQL standard | https://pgql-lang.org/spec/1.5/ |
| LogQL | 2018 | Grafana Labs | Loki log query | Active; PromQL-shaped — label selectors plus regex/JSON line filters plus metric extraction | https://grafana.com/docs/loki/latest/query/ |
| KQL (Kusto) | 2018 (public) | Microsoft | Telemetry / log / metric query | Dominant in Azure; spreading to Sentinel, Defender, Fabric, Application Insights | https://learn.microsoft.com/azure/data-explorer/kusto/query/ |
| SPL | 2003 | Splunk | Log search / processing | Dominant in enterprise SIEM; the original pipe-style log DSL | https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual |
| Datadog Query Syntax | ~2012 | Datadog | Log + APM + metric search bar | Dominant in Datadog UI; per-product variants for logs, traces, RUM, metrics | https://docs.datadoghq.com/logs/explorer/search_syntax/ |
| NRQL | 2014 | New Relic | Telemetry query (events, metrics, logs, traces) | Active; SQL-shaped (SELECT ... FROM Transaction FACET ... TIMESERIES) | https://docs.newrelic.com/docs/nrql/get-started/introduction-nrql-new-relics-query-language/ |
| Honeycomb Query | 2016 | Honeycomb.io | Wide-event observability query | Active; UI-driven structured query (visualize/where/group-by/break-down) over Honeycomb’s column store | https://docs.honeycomb.io/investigate/query/ |
| Lucene Query Syntax | 2001 (Lucene 1.0) | Apache Lucene | Full-text query string | Universal; embedded in Elasticsearch query_string/simple_query_string, Solr, Kibana KQL-lite | https://lucene.apache.org/core/9_11_0/queryparser/org/apache/lucene/queryparser/classic/package-summary.html |
| Elasticsearch Query DSL | 2010 | Elastic | JSON-shaped search query | Dominant in search/log analytics; superset of Lucene syntax with bool/filter/agg trees | https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html |
| OpenSearch Query DSL | 2021 | OpenSearch (AWS-led fork) | JSON-shaped search query | Active; near-identical to ES DSL after the 2021 SSPL fork | https://opensearch.org/docs/latest/query-dsl/ |
| jq | 2012 | Stephen Dolan | Concatenative JSON query/transform | Universal; shipped in every distro; jq 1.7 (2023) added SQL-style INDEX/UNIQUE_BY | https://jqlang.github.io/jq/manual/ |
| yq (Mike Farah) | 2017 | Mike Farah (Go) | YAML/JSON/XML query | Dominant Go yq; jq-superset syntax over YAML; v4.x current | https://mikefarah.gitbook.io/yq/ |
| yq (Python kislyuk) | 2017 | Andrey Kislyuk | jq wrapper for YAML | Active; thin Python wrapper that pipes through real jq; ships xq, tomlq | https://kislyuk.github.io/yq/ |
| JMESPath | 2014 | James Saryerwinnie (AWS) | Constrained JSON path query | Active; powers aws --query, Azure CLI --query, OCI CLI; deliberate non-Turing-complete design | https://jmespath.org/specification.html |
| JSONPath | 2007 (Goessner blog) / 2024 (RFC 9535) | Stefan Goessner; IETF JSONPath WG | XPath-shaped JSON query | Standard finally landed Feb 2024 (RFC 9535); pre-RFC implementations remain incompatible | https://www.rfc-editor.org/rfc/rfc9535.html |
| xq | 2017 | bundled with Python yq | XML-as-JSON jq query | Active; converts XML to JSON via xmltodict and runs jq filters | https://kislyuk.github.io/yq/#xq |
| gron | 2016 | Tom Hudson | JSON-to-grep flattener | Active; not a query language per se — flattens JSON to greppable assignment statements then ungrons back | https://github.com/tomnomnom/gron |
| Apache Pinot SQL | 2014 (LinkedIn) / 2018 (Apache) | LinkedIn / Apache | Real-time OLAP SQL | Active; Calcite-based ANSI SQL with streaming + lookup-join extensions | https://docs.pinot.apache.org/users/user-guide-query/querying-pinot |
| Druid SQL | 2018 (replaced native JSON queries) | Apache Druid | OLAP-on-streaming SQL | Dominant in Druid; Calcite-based; coexists with legacy native JSON query API | https://druid.apache.org/docs/latest/querying/sql/ |
| Apache Doris SQL | 2017 (Baidu Palo) / 2022 (Apache TLP) | Baidu / Apache | Real-time MPP OLAP SQL | Active; MySQL wire-protocol compatible; Pinot/Druid/ClickHouse competitor | https://doris.apache.org/docs/query/query-data/query-data |
Notable threads
- ISO GQL is the first new ISO query-language standard since SQL — and openCypher won. ISO/IEC 39075:2024, published April 2024, is the result of a decade-long effort that started inside the openCypher consortium (Neo4j, 2015) and was joined by Oracle (PGQL), TigerGraph, SAP, IBM, and Linkdata. The final standard is deeply Cypher-shaped:
MATCH (a)-[:KNOWS]->(b) RETURN a, bis GQL. Neo4j, Memgraph, TigerGraph, Oracle, and Amazon Neptune have all committed to GQL conformance modes; Gremlin is not part of GQL (the standard chose declarative pattern matching over imperative traversal). - SPL is still the gold standard of log query and nobody’s beaten it after 23 years. Splunk released SPL in 2003 and pioneered the
index=foo source=bar | stats count by host | sort -countpipe model. Every later observability vendor (Sumo Logic, Datadog, KQL, LogQL, Honeycomb) borrowed the pipe shape, but SPL still has the deepest stats library, the most mature subsearch semantics, and the largest user base in enterprise SIEM. The Cisco-Splunk acquisition (closed March 2024) hasn’t fundamentally changed SPL’s trajectory. - KQL is becoming Microsoft’s “SQL for telemetry.” Originally the query language for Azure Data Explorer (Kusto) in 2018, KQL is now the query layer for Azure Monitor / Log Analytics, Microsoft Sentinel, Defender XDR, Application Insights, Microsoft Graph activity logs, and Microsoft Fabric Real-Time Intelligence. The “Kusto Query Language” name has been quietly genericized to just “KQL” because it’s no longer Kusto-specific. SQL Server even added a Kusto-style
EXPLAINtranslator. - The jq / JMESPath / JSONPath split is intentional design philosophy. jq is general-purpose and Turing-complete (recursive functions, reduce, generators) — overkill for many tasks but unmatched for transformation. JMESPath is constrained-by-design so that AWS CLI users can’t accidentally write a query that takes 10 minutes against a 100MB response — no recursion, no arithmetic beyond projection, predictable evaluation cost. JSONPath is the simplest of the three (essentially XPath-for-JSON with
$.store.book[*].author-style paths), and as of RFC 9535 (Feb 2024) it’s finally a real standard rather than a Goessner blog post that everyone implemented differently. - Elasticsearch’s JSON Query DSL replaced classical Lucene syntax for everything non-trivial. Lucene’s query string (
field:value AND (foo OR bar)) is still ubiquitous in Kibana search bars and embedded insidequery_string, but any query that usesbool/function_score/nested/aggregations is written as JSON trees. The OpenSearch fork (2021, after Elastic’s SSPL relicense) preserved the JSON DSL shape almost verbatim, so query knowledge transfers cleanly between the two. Notably, OpenSearch later added “PPL” (Piped Processing Language) as a Splunk/KQL-shaped alternative. - Real-time OLAP standardized on SQL, not on a new DSL. Apache Pinot, Druid, and Doris all use Apache Calcite-based ANSI SQL (Druid replaced its native JSON query API with SQL in 2018). The lesson learned from MongoDB MQL and Elasticsearch DSL: even when your engine is non-relational under the hood, analysts strongly prefer SQL syntax. ClickHouse made the same bet earlier and has been rewarded for it.
Citations
- ISO, “ISO/IEC 39075:2024 — Information technology — Database languages — GQL”, https://www.iso.org/standard/76120.html
- openCypher Implementers Group, “openCypher Specification”, https://opencypher.org/resources/
- Neo4j, “Cypher Manual”, https://neo4j.com/docs/cypher-manual/current/
- Apache TinkerPop, “The Gremlin Graph Traversal Language”, https://tinkerpop.apache.org/gremlin.html
- W3C, “SPARQL 1.1 Query Language”, https://www.w3.org/TR/sparql11-query/
- ArangoDB, “AQL Documentation”, https://docs.arangodb.com/3.12/aql/
- NebulaGraph, “nGQL Guide”, https://docs.nebula-graph.io/3.8.0/3.ngql-guide/1.nGQL-overview/1.overview/
- TigerGraph, “GSQL Reference”, https://docs.tigergraph.com/gsql-ref/current/intro/intro
- Oracle, “PGQL 1.5 Specification”, https://pgql-lang.org/spec/1.5/
- Grafana Labs, “LogQL Reference”, https://grafana.com/docs/loki/latest/query/
- Microsoft, “Kusto Query Language Reference”, https://learn.microsoft.com/azure/data-explorer/kusto/query/
- Splunk, “Search Reference”, https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual
- Datadog, “Log Search Syntax”, https://docs.datadoghq.com/logs/explorer/search_syntax/
- New Relic, “Introduction to NRQL”, https://docs.newrelic.com/docs/nrql/get-started/introduction-nrql-new-relics-query-language/
- Honeycomb.io, “Querying Your Data”, https://docs.honeycomb.io/investigate/query/
- Apache Lucene, “Query Parser Syntax”, https://lucene.apache.org/core/9_11_0/queryparser/org/apache/lucene/queryparser/classic/package-summary.html
- Elastic, “Query DSL”, https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html
- OpenSearch, “Query DSL”, https://opensearch.org/docs/latest/query-dsl/
- jq Authors, “jq Manual”, https://jqlang.github.io/jq/manual/
- Mike Farah, “yq Documentation”, https://mikefarah.gitbook.io/yq/
- Andrey Kislyuk, “yq — Command-line YAML/XML/TOML processor”, https://kislyuk.github.io/yq/
- AWS, “JMESPath Specification”, https://jmespath.org/specification.html
- IETF, “RFC 9535 — JSONPath: Query Expressions for JSON”, https://www.rfc-editor.org/rfc/rfc9535.html
- Stefan Goessner, “JSONPath — XPath for JSON” (2007), https://goessner.net/articles/JsonPath/
- Tom Hudson, “gron — Make JSON greppable”, https://github.com/tomnomnom/gron
- Apache Pinot, “Querying Pinot”, https://docs.pinot.apache.org/users/user-guide-query/querying-pinot
- Apache Druid, “Druid SQL Overview”, https://druid.apache.org/docs/latest/querying/sql/
- Apache Doris, “Query Data”, https://doris.apache.org/docs/query/query-data/query-data