Productivity Tools on DuckDB Labhttps://duckdblab.org/en/categories/productivity-tools/Recent content in Productivity Tools on DuckDB LabHugo -- gohugo.ioen-USThu, 07 May 2026 00:00:00 +0000DuckDB as the New jq: Processing GB-Scale JSON Logs Without the Painhttps://duckdblab.org/en/post/duckdb-as-new-jq/Thu, 07 May 2026 00:00:00 +0000https://duckdblab.org/en/post/duckdb-as-new-jq/<h2 id="1-the-problem-when-grep--jq-pipelines-fall-apart">1. The Problem: When grep | jq Pipelines Fall Apart </h2><p>Every DevOps engineer knows this scenario: a production incident is unfolding, and you need to drill into gigabytes of JSON logs — fast. The muscle memory kicks in:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grep <span class="s2">&#34;ERROR&#34;</span> access.log.json <span class="p">|</span> jq <span class="s1">&#39;.request_uri, .status_code&#39;</span> <span class="p">|</span> head -20 </span></span></code></pre></div><p>But when that log file hits <strong>10 GB</strong>, this classic pipeline reveals three critical flaws:</p> <h3 id="11-memory-explosion">1.1 Memory Explosion </h3><p><code>jq</code> parses the entire JSON document into memory by default. It handles JSON Lines (one JSON object per line) reasonably well, but when you hit <strong>nested multi-line JSON</strong> — standard fare for Kubernetes events, AWS CloudTrail, or structured Nginx logs — jq&rsquo;s <code>-s</code> (slurp) mode loads the <strong>entire file into RAM</strong>. A 5 GB file can consume 8+ GB of RSS, easily OOMing a 16 GB server.</p> <h3 id="12-speed-bottleneck">1.2 Speed Bottleneck </h3><p><code>grep</code> is fast at line scanning, but once data flows through the pipe to <code>jq</code>, the bottleneck shifts from disk I/O to <strong>inter-process communication</strong>. <code>grep | jq</code> is fundamentally a single-threaded pipeline — it cannot utilize multiple CPU cores. For a 10 GB log, you&rsquo;re looking at <strong>3-5 minutes of waiting</strong>.</p> <h3 id="13-limited-query-capabilities">1.3 Limited Query Capabilities </h3><p>jq&rsquo;s functional DSL is powerful, but every additional filter condition adds exponential complexity to your pipeline. Try to:</p> <ul> <li>Filter by time window + GROUP BY status_code</li> <li>Compute p50/p95/p99 latencies</li> <li>Join fields across multiple JSON files</li> </ul> <p>In jq, these range from &ldquo;painful&rdquo; to &ldquo;practically impossible&rdquo; without writing dozens of lines of head-scratching pipe chains.</p> <hr> <h2 id="2-enter-duckdb-sql-powered-json-analytics">2. Enter DuckDB: SQL-Powered JSON Analytics </h2><p><a class="link" href="https://duckdb.org" target="_blank" rel="noopener" >DuckDB</a> is an embedded OLAP database designed for <strong>analytical workloads</strong>. It requires no server setup — a single 50 MB binary is all you need.</p> <p>The killer feature is <strong><code>read_json_auto</code></strong> — it automatically infers the schema of your JSON files and lets you query them with plain SQL:</p> <h3 id="21-basic-usage">2.1 Basic Usage </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;/var/log/nginx/access.json.log&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">LIMIT</span><span class="w"> </span><span class="mi">10</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>One line, and DuckDB automatically:</p> <ul> <li>Detects whether your JSON is line-delimited or nested/multi-line</li> <li>Infers all column types (string, int, double, timestamp, etc.)</li> <li>Flattens nested JSON into child columns</li> </ul> <h3 id="22-glob-pattern-batch-processing">2.2 Glob Pattern: Batch Processing </h3><p>In real-world ops, logs are usually rotated daily or hourly. DuckDB natively supports glob patterns:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;/var/log/nginx/2026/*/*.json&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span><span class="n">status_code</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="s1">&#39;2026-05-01&#39;</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>This single SQL statement replaces:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># The traditional bash approach</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> f in /var/log/nginx/2026/05/*.json<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> cat <span class="s2">&#34;</span><span class="nv">$f</span><span class="s2">&#34;</span> <span class="p">|</span> jq <span class="s1">&#39;select(.status_code &gt;= 500)&#39;</span> &gt;&gt; errors.json </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></div><p>Not only is the code reduced from 3 lines to 1, it&rsquo;s also an <strong>order of magnitude faster</strong> — DuckDB&rsquo;s columnar storage engine + parallel scan distributes the workload across all CPU cores automatically.</p> <h3 id="23-aggregation-reports-in-seconds">2.3 Aggregation: Reports in Seconds </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">cnt</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">round</span><span class="p">(</span><span class="k">avg</span><span class="p">(</span><span class="n">response_time_ms</span><span class="p">),</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">avg_rt</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">approx_quantile</span><span class="p">(</span><span class="n">response_time_ms</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">p50</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">approx_quantile</span><span class="p">(</span><span class="n">response_time_ms</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">.</span><span class="mi">95</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">p95</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">approx_quantile</span><span class="p">(</span><span class="n">response_time_ms</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">.</span><span class="mi">99</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">p99</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;/var/log/nginx/access.json.log&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="k">current_date</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nb">interval</span><span class="w"> </span><span class="s1">&#39;7 days&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">status_code</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">cnt</span><span class="w"> </span><span class="k">DESC</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>In traditional tools, computing P99 latency requires sorting all data and finding the percentile — excruciating in jq. DuckDB&rsquo;s built-in <code>approx_quantile</code> function (using the T-Digest algorithm) computes approximate percentiles across <strong>hundreds of millions of rows in seconds</strong>.</p> <h3 id="24-nested-json-unpacking">2.4 Nested JSON Unpacking </h3><p>Real logs are nested. Requests have headers, responses have body metadata. DuckDB accesses nested fields with dot notation:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">request_uri</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="s2">&#34;Content-Type&#34;</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">content_type</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;logs/*.json&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="mi">400</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>JSON arrays? Use <code>UNNEST</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="n">request_uri</span><span class="p">,</span><span class="w"> </span><span class="n">error</span><span class="p">.</span><span class="n">message</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;logs/*.json&#39;</span><span class="p">),</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">LATERAL</span><span class="w"> </span><span class="k">UNNEST</span><span class="p">(</span><span class="n">errors</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">t</span><span class="p">(</span><span class="n">error</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span><span class="n">array_length</span><span class="p">(</span><span class="n">errors</span><span class="p">)</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><hr> <h2 id="3-comparison-jq-vs-python-vs-duckdb">3. Comparison: jq vs Python vs DuckDB </h2><table> <thead> <tr> <th>Dimension</th> <th>jq</th> <th>Python (json + pandas)</th> <th>DuckDB</th> </tr> </thead> <tbody> <tr> <td><strong>Install size</strong></td> <td>~2 MB</td> <td>~500 MB (Anaconda) / ~100 MB (minimal)</td> <td><strong>~50 MB single binary</strong></td> </tr> <tr> <td><strong>Startup time</strong></td> <td>~5 ms</td> <td>~1-3 s (import pandas)</td> <td><strong>~10 ms</strong></td> </tr> <tr> <td><strong>Memory for 10 GB file</strong></td> <td>Likely OOM</td> <td>~1.5-3x file size</td> <td><strong>~100-500 MB + cache</strong></td> </tr> <tr> <td><strong>Query speed on 10 GB</strong></td> <td>3-5 min+</td> <td>1-3 min</td> <td><strong>10-30 seconds</strong></td> </tr> <tr> <td><strong>Parallel scanning</strong></td> <td>❌ Single-threaded</td> <td>⚠️ Manual multiprocessing</td> <td>✅ Automatic parallelism</td> </tr> <tr> <td><strong>Lines of code (typical query)</strong></td> <td>10-30 lines</td> <td>15-40 lines</td> <td><strong>1-5 lines SQL</strong></td> </tr> <tr> <td><strong>Learning curve</strong></td> <td>Functional DSL</td> <td>Pandas API complex</td> <td><strong>SQL (everyone knows it)</strong></td> </tr> <tr> <td><strong>Cron / script integration</strong></td> <td>✅ Excellent</td> <td>⚠️ Moderate</td> <td><strong>✅ Single command</strong></td> </tr> <tr> <td><strong>S3 / HTTP remote files</strong></td> <td>❌ Not supported</td> <td>⚠️ Needs requests</td> <td><strong>✅ Native support</strong></td> </tr> <tr> <td><strong>Nested JSON support</strong></td> <td>✅ Good</td> <td>⚠️ json_normalize</td> <td><strong>✅ Automatic flattening</strong></td> </tr> <tr> <td><strong>GROUP BY aggregation</strong></td> <td>❌ Extremely hard</td> <td>✅ Good</td> <td><strong>✅ Native SQL</strong></td> </tr> <tr> <td><strong>Export formats</strong></td> <td>Terminal text</td> <td>CSV/Parquet/DB</td> <td><strong>CSV/Parquet/JSON/DB</strong></td> </tr> </tbody> </table> <blockquote> <p><strong>Bottom line</strong>: <code>jq</code> wins for quick 1-100 MB inspection. Python shines for complex preprocessing pipelines. But DuckDB dominates the <strong>sweet spot of 100 MB to 100 GB</strong> — the range where most production log analysis happens.</p> </blockquote> <hr> <h2 id="4-complete-executable-sql-examples">4. Complete, Executable SQL Examples </h2><p>Here&rsquo;s a production-ready workflow. Assume your Nginx logs are JSON-formatted and rotated hourly:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="c1">-- 1. Create a table (optional — you can keep using read_json_auto) </span></span></span><span class="line"><span class="cl"><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">nginx_logs</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;/var/log/nginx/2026/**/*.json&#39;</span><span class="p">);</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- 2. Data overview </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">min</span><span class="p">(</span><span class="k">timestamp</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">first_seen</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">max</span><span class="p">(</span><span class="k">timestamp</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">last_seen</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">total_requests</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span><span class="w"> </span><span class="n">client_ip</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">unique_ips</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">nginx_logs</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- 3. Error breakdown by hour </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">strftime</span><span class="p">(</span><span class="k">timestamp</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;%Y-%m-%d %H:00:00&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">hour_bucket</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">cnt</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">round</span><span class="p">(</span><span class="mi">100</span><span class="p">.</span><span class="mi">0</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="k">sum</span><span class="p">(</span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">))</span><span class="w"> </span><span class="n">OVER</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">PARTITION</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">strftime</span><span class="p">(</span><span class="k">timestamp</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;%Y-%m-%d %H:00:00&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">),</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">pct</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">nginx_logs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">hour_bucket</span><span class="p">,</span><span class="w"> </span><span class="n">status_code</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">hour_bucket</span><span class="p">,</span><span class="w"> </span><span class="n">status_code</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- 4. Top 10 slow requests </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">request_uri</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">method</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">response_time_ms</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">nginx_logs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span><span class="n">response_time_ms</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">response_time_ms</span><span class="w"> </span><span class="k">DESC</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">LIMIT</span><span class="w"> </span><span class="mi">10</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- 5. Aggregate by URL path prefix </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">regexp_extract</span><span class="p">(</span><span class="n">request_uri</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;^/([^/]+)&#39;</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">path_prefix</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">cnt</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">round</span><span class="p">(</span><span class="k">avg</span><span class="p">(</span><span class="n">response_time_ms</span><span class="p">),</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">avg_rt</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">max</span><span class="p">(</span><span class="n">response_time_ms</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">max_rt</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">nginx_logs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">path_prefix</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">cnt</span><span class="w"> </span><span class="k">DESC</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- 6. Export results to Parquet </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">nginx_logs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">status_code</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="s1">&#39;2026-05-01&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="s1">&#39;/tmp/errors_202605.parquet&#39;</span><span class="w"> </span><span class="p">(</span><span class="n">FORMAT</span><span class="w"> </span><span class="n">PARQUET</span><span class="p">);</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- 7. One-liner for cron jobs </span></span></span><span class="line"><span class="cl"><span class="c1">-- duckdb -c &#34; </span></span></span><span class="line"><span class="cl"><span class="c1">-- COPY ( </span></span></span><span class="line"><span class="cl"><span class="c1">-- SELECT status_code, count(*) AS cnt </span></span></span><span class="line"><span class="cl"><span class="c1">-- FROM read_json_auto(&#39;/var/log/nginx/*.json&#39;) </span></span></span><span class="line"><span class="cl"><span class="c1">-- GROUP BY status_code </span></span></span><span class="line"><span class="cl"><span class="c1">-- ) TO &#39;/tmp/report.csv&#39; (HEADER TRUE); </span></span></span><span class="line"><span class="cl"><span class="c1">-- &#34; </span></span></span></code></pre></div><h3 id="running-from-the-command-line">Running from the Command Line </h3><p>DuckDB&rsquo;s <code>-c</code> flag makes it perfect for cron:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Hourly 5xx error report</span> </span></span><span class="line"><span class="cl">duckdb -c <span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT strftime(timestamp, &#39;%Y-%m-%d %H:00:00&#39;) AS hour, </span></span></span><span class="line"><span class="cl"><span class="s2"> count(*) AS error_count </span></span></span><span class="line"><span class="cl"><span class="s2"> FROM read_json_auto(&#39;/var/log/nginx/*.json&#39;) </span></span></span><span class="line"><span class="cl"><span class="s2"> WHERE status_code &gt;= 500 </span></span></span><span class="line"><span class="cl"><span class="s2"> AND timestamp &gt;= now() - interval &#39;1 hour&#39; </span></span></span><span class="line"><span class="cl"><span class="s2"> GROUP BY hour; </span></span></span><span class="line"><span class="cl"><span class="s2">&#34;</span> &gt; /tmp/5xx_report.txt </span></span></code></pre></div><h3 id="remote-files-s3--http">Remote Files (S3 / HTTP) </h3><p>DuckDB can even read JSON directly from remote endpoints without downloading:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="n">status_code</span><span class="p">,</span><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;s3://my-logs-bucket/2026/05/*.json&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">status_code</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">-- Or straight from HTTP </span></span></span><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">read_json_auto</span><span class="p">(</span><span class="s1">&#39;https://logs.example.com/daily/2026-05-07.json.gz&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">LIMIT</span><span class="w"> </span><span class="mi">5</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>DuckDB streams the data internally — no need to download the whole file first.</p> <hr> <h2 id="5-when-should-you-still-use-jq">5. When Should You Still Use jq? </h2><p>DuckDB isn&rsquo;t a silver bullet. Here&rsquo;s when jq remains the better choice:</p> <ol> <li><strong>Quick glance at small files</strong> (&lt;10 MB): jq starts in milliseconds — no SQL syntax overhead</li> <li><strong>Interactive pipe debugging</strong>: <code>cat file | jq '.key' | grep -o 'pattern'</code> is intuitive and fast at the terminal</li> <li><strong>JSON formatting / pretty-print</strong>: <code>jq '.'</code> is instant and universal</li> <li><strong>No DuckDB on the remote box</strong>: jq ships with practically every Linux distribution</li> </ol> <p><strong>My recommendation</strong>: Use grep + jq for rapid ad-hoc exploration, DuckDB for batch analysis and scheduled reporting. They complement each other — one is a scalpel, the other a power saw.</p> <hr> <h2 id="6-monetization-ideas">6. Monetization Ideas </h2><p>If you&rsquo;ve optimized your team&rsquo;s log analysis pipeline with DuckDB — saving server costs and engineering hours — here are ways to turn that expertise into income:</p> <ol> <li><strong>Write premium tutorials</strong>: Publish deep-dive guides on Medium, Dev.to, or DZone. &ldquo;Performance optimization with open-source tools&rdquo; consistently ranks well</li> <li><strong>Create a video course</strong>: &ldquo;DuckDB from Zero to Production&rdquo; — full-stack JSON log analysis walks make an excellent hook on Udemy or LinkedIn Learning</li> <li><strong>Build a CLI tool</strong>: Package a <code>ducklog</code> utility wrapping DuckDB as a log-query CLI. Open-source it, then monetize through enterprise support or a SaaS tier</li> <li><strong>Corporate training</strong>: Many teams over-engineer with ELK/Loki for small-scale logs. Offer DuckDB migration consulting — charge per project</li> <li><strong>Sell automation scripts</strong>: Package the SQL workflows from this article into Python/Shell scripts with a Grafana dashboard, sell on Fiverr or Gumroad</li> </ol> <hr> <p><em>This article was written for DuckDB 1.2.x. DuckDB is evolving fast — follow the official <a class="link" href="https://github.com/duckdb/duckdb/releases" target="_blank" rel="noopener" >Release Notes</a> for the latest features.</em></p>