Expand description
Query executor: translate a QueryNode into parameterized SQL, run
it against the index, and reconstruct LogEntry values from the
result rows.
This module is the bridge between the query AST and the SQLite schema.
It never mixes user-controlled strings into SQL text — every literal
value is bound as a parameter. The one exception is JSON extraction
paths like $.service, which embed the field name directly because
SQLite parameters aren’t allowed inside json_extract path expressions;
safety there comes from the field name having passed
validate_field_name’s strict regex in the parser, which we
defensively re-check at the executor boundary.
§Timestamp handling
Timestamps are compared as TEXT, which works correctly for any ISO-8601
format because those sort lexicographically in chronological order when
all components are fixed-width. Ingested timestamps that aren’t ISO-8601
shaped will compare incorrectly against last/since bounds — a known
limitation of accepting arbitrary timestamp strings at ingestion time.
Functions§
- execute
- Execute a parsed query against the index and return matching entries.
- execute_
at - Variant of
executethat uses a caller-supplied “now” value.