Logentries provides intuitive log search that can be as simple as Google and as powerful as you need.
Use search to retrieve events using keywords, phrases, regular expressions, and field-level comparisons.
||Search for events that contains words Turing and Gödel
||Search for events that contains the phrase Kurt Gödel
|(GET OR POST) -(200 OR 301)
||Search for events that contains GET or POST commands without 200 or 301 status codes
||Search for a logfile name, case insensitive and ungreedy
||Search for events from a database, where database size is greater than 1MB
Log Search Functions
Log search also supports returning a count of matched search results. Append
to your search query or press the
button (as seen below) to get the number of search results.
You may use the sum modifier to total the values of your name value pairs. Using the previous screenshot as an example, to get the sum of your sales with a total value of more than 80 search for
total>80 | SUM
The average modifier works the same as sum but it computes the mean of the values matching the search criteria. For instance, to get the average value of your sales, you might invoke a search like
total>0 | AVERAGE
keyword returns the number of unique values for a given key. It takes one parameter: the name of the key. For example, to get the number of unique IP addresses, you might execute a query like
/. | unique(fwd)
You can perform search functions based on an approximation of the most commonly occurring entries over a certain time period. For example, to get the average response times grouped by source IP address, you might execute a query like
fwd!=null | groupby(fwd) | average(service)
/. | groupby(fwd) | count
to get a ranking of most frequent IP addresses.
Logentries allows searches to also be saved. You will now see a star and a dropdown symbol to the right of the search box when searching logs.
In order to save your current log search all you have to do is click on the star. Now if you or any other user in the same account clicks on the dropdown symbol then all the previously saved searches will be displayed.
It’s also possible to edit a saved log search in order to give it a name or change the query. Just click on the ‘edit query’ link and you’ll be shown the modal below.
to find simple word occurrences in your logs. A keyword is a simple word contained anywhere in the event. A keyword is separated from other keywords via white space or special characters.
For example, the event
Georg Cantor set_theory
contains keywords Georg, Cantor, and set_theory.
If you specify multiple keywords, you are searching for events that contains all specified keywords. For example, the search term
will match both “Georg Cantor set theory” as well as “Georg Ferdinand Ludwig Philipp Cantor”.
Logentries extends the basic query language with standard boolean operators AND, OR, and NOT. The order of operations is first do any operations in parenthesis, then NOT, then AND, and lastly OR. The operator AND is implicit, i.e. it is assumed if not specified.
|Turing AND Gödel
||Events that contains both Turing and Gödel
||Events that contains both Turing and Gödel, AND is implicit here
|Turing OR Gödel
||Events that contains Turing or Gödel
|Turing NOT Gödel
||Events that contains Turing, but not Gödel
||Events that contains Turing, but not Gödel, – is a shortcut for NOT
|Turing AND (Gödel OR Cantor)
||Events that contains Turing and one of Gödel or Cantor
that logical operators must be capitalized. If you want to search for keywords with the same name as logical operators, quote them in single or double quotes such as “AND” or ‘NOT’.
Logentries supports regular expressions enabling you to match events using complex regular language. Regular expressions must be enclosed with slashes / and can include optional flags such as “i”.
||Events that contains Null, such as
||Events that contains error, case insensitive, such as
|/Exception “.*” at/
||Events that contains exception trace with a name
||Events that contains 200 or 201
You can use comparison operators to match a value or a range of values. Comparison expression takes the form of “name?value”
where name defines field, ?
is an operator, and value represents the value of the comparison.
Comparison expressions will only return results with properly formatted fields and values. Please see sections Fields
and Escape Characters
to learn how fields and values are defined and how they must be formatted to be properly recognized by Logentries.
||Status code is 200 OK
||Database size is greater than 1MB
||Operation took longer than 6.7
||Response was not successful
||Field’s value matches the value given
||Field’s value matches the regular expression
||Field’s value is not the value given
||Field’s value does not match the regular expression
||Field’s value is less than the number given
||Field’s value is less or equal to the number given
||Field’s value is greater than the number given
||Field’s value is greater or equal to the number given
must be formatted as an integer, floating-point value, or in the scientific notation to be properly recognized by Logentries. Units in field’s value (such as bytes in “842bytes”) are ignored for the purpose of comparison with the exception of equal operator which is string-only.
that if the field is not present (defined) in the log entry then no operator will match.
Keywords are words consisting of letters, digits, dots, and underscores. Keywords are stored in indexes which allow the search engine to retrieve results faster.
For example the following event:
2013-06-22T11:21:14+00:00 Template rendering complete, render_time=0.2ms
contains information about template rendering which completed in 0.2 milliseconds. This events contains five keywords: Template, rendering, complete, render time, and 0.2ms.
Fields are key-value pairs of log entry data. Every field has a name which uniquely identifies type/purpose of the value.
Logentries extracts key-value pairs from incoming data automatically. Events needs to be of the classical form:
field1=value1 field2=value2 field3=value3
alternatively, you can also separate field-values with comma:
field1=value1, field2=value2, field3=value3
Additionally, Logentries recognizes other formats such as JSON, Ruby, and Perl dictionaries. For example, Logentries will automatically detect fields and values formatted the following ways:
The following Example:
2013-06-28T10:29:28+00:00 source=postgresql tables=81 db_size=6774660014bytes index-cache-hit-rate=0.99996 avg_response=6.25e-3
represents a single event from the database, defining source as postgresql, the number of tables “tables” as an integer 81, database size “db_size” as an integer with units “6774660014bytes”, cache rate “index-cache-hit-rate” as a float 0.9996, and average response time avg_response as a float in scientific notation 6.25e-3. Logentries will automatically detect these fields and values.
Field names and values may contain any characters such as letters, digits, dots, or underscores. Field names and values containing spaces or words that conflict with search operators must be treated specially.
For example, terms like db_size and measure.cpu_time are correct field names and values.
To include non-standard characters in field’s name or value such as spaces, quotes, operators, commas, brackets, or words similar to operators you need to escape them with a slash \ or enclose the whole term in single or double quotes.
Examples on how to format field names and values with non standard characters:
- Values which may contain spaces: name=”Noam Chomsky” or name=Noam\ Chomsky
- Fields that contain spaces: ‘full name’=’Noam Chomsky’
- Logical operators: find ‘OR’
Regular Expression Operators
Regular expressions use special characters
to enable searching for more advanced patterns. These characters are
If you need to use special characters as ordinary characters, you have to escape them with a backward slash
Match something a number of times
||Star will match zero or more of the previous character.
|At least one
||Plus matches at least one repetition of the previous character.
||Matches the exact number of the previous character.
||Matches the number of the previous character within the range.
||Matches up to the limit of the previous character.
||Matches at least the limit of the previous character.
Match character set
||Dot matches any single character.
||Matches a digit character, that is 0-9.
||Matches any whitespace character.
|Anything but a digit
||Matches any character that is not a digit.
|Anything but a whitespace
||Matches any character except for whitespace.
||Matches any of the characters specified.
|Anything but the given set
||Matches any character except for those specified.
Flags change default behavior of regular expression matching. Flags should be specified at the end of the regular expression, after the closing slash
This syntax is similar to Perl and other languages.
- Case-insensitive search
- By default search with regular expressions is case sensitive. To disable case sensitivity you have to enclose the regular expression in forward slashes and specify the
i option at the end.
- If you want to match start-end special characters
$ on any lines in the event, use the multiline flag. By Default these special characters matched start and end of the event only.
- New lines
- If you want to match across new lines in the event, use the New lines flag. It causes the special character
. to match new lines
\n by default.
- By default all universal quantifiers are greedy, i.e. it tries to match as much characters as possible. If you prefer an ungreedy behavior instead, use the Ungreedy flag.
abbc, but not
abbc, but not
abbbc, but not
adc, but not
ac, but not
a0c, but not
completed as well as