Inspector logo

Search

LOG Engine Search is designed for human-entered text and is based on Lucene Query Syntax. Search queries can be saved and reused with a click so better understand how to search in your events stream could give you a lot of free time later.

Simple Text

By default if type some text in the search box it will search all events that contains your text in the message field.

So message is the default field.

Use double quote in case your search query contains more than one word:

text or "my text"

Fields

You can search inside of any field in your events structure by typing the field name followed by a colon ":" and then the term you are looking for.

As an example, if you want to find all events of a particular hostname can enter:

hostname:server-test

Nested fields

Your event structure usually have many information nested inside. Using dot notation you can reach any field you want inside events and filter by its content:

context.user_id:12

Wildcard

LOG Engine supports single and multiple character wildcard searches within single terms (not within phrase queries).

To perform a single character wildcard search use the "?" symbol.

hostname:server-te?t

To perform a multiple character wildcard search use the "*" symbol.

hostname:server-*

You can also use the wildcard searches in the middle of a term.

hostname:server-*test

Operators

Boolean operators allow terms to be combined through logic operators. LOG Engine supports AND, OR, NOT operators (Note: operators must be ALL CAPS).

OR

The OR operator is the default conjunction operator. This means that if there is no Boolean operator between two terms, the OR operator is used.

To search for documents that contain either "log engine" or just "engine" use the query:

"log engine" engine

Or

"log engine" OR engine

AND

The AND operator matches events where both terms exist in the event fields.

hostname:server-* AND context.user_id:12

NOT

The NOT operator excludes documents that contain the term after NOT.

hostname:server-* NOT context.user_id:12

Escaping Special Characters

You need to consider special characters all the items that could be interfere with syntax:

  • :
  • *
  • ?
  • (
  • )

To escape these character use the \ before the character. For example to search for MyClass::check use the query:

MyClass\:\:check