Search operators

FuseQL search operators enable both regular and advanced log search (after you choose the Advanced Search option). The language specifies the following syntactical rules:

  • The search operator must appear before the first pipe (|) symbol in the query expression.

  • All other operators must follow a valid search expression.

    and

    Intersection operator (AND logic) between two search operators. Selects results that satisfy both conditions.

    or

    Union operator (OR logic) between two search operators. Selects results that satisfy either or both conditions.

    equal

    Searches for specified value; exact match.

    not equal

    Searches for values other than the specified value; exact match.

    greater than, >

    Searches for values that are greater than the specified number.

    greater than or equal

    Searches for values that are greater than or equal to the specified number.

    less than, <

    Searches for values that are less than the specified number.

    less than or equal, <=

    Searches for values that are less than or equal to the specified number.

    regex

    Searches for results that match a specific character pattern.

    not regex, !~

    Searches for results that do not match a specific character pattern.

    terms exist, term

    Matches complete tokens in the log message body. Terms are based on the tokenized words in the message body. All terms must appear in the log line, in any order. Fast and inexpensive.

    not terms exist, !term

    Excludes log lines that match complete tokens. Terms are determined by tokenization. All terms must appear in the log line, in any order, for the line to be excluded.

    grep, "grep"

    Searches for a literal, case-sensitive substring in the log message body. Unlike term, this matches character sequences rather than whole tokens, so it can match partial words and phrases.

    not grep, !"grep"

    Excludes log lines containing a literal, case-sensitive substring in the log message body.

    facet terms exist

    Searches to match a specific facet and its value.

    facet terms not exist

    Searches to exclude a specific facet and its value.

    starts with, *~

    Searches for labels or facets where the value begins with the specified string.

    ends with, ~*

    Searches for labels or facets where the value ends with the specified string.

    contains, **

    Searches for labels or facets where the value contains the specified string.

    key exists

    Searches for the presence of a specific facet, regardless of its value.

and, and

Intersection operator (AND logic) between two search operators. Selects results that satisfy both conditions.

Syntax

There is a difference in syntax for the operator between regular search and advanced search.

facetName1="value1" facetName2="value2"
none
Example

.and operator for facet

level="info" header="map"
none
fuseql and advanced

or, or

Union operator (OR logic) between two search operators. Selects results that satisfy either or both conditions.

Syntax

There is a difference in syntax for the operator between regular search and advanced search.

@facet=”valueA OR valueB”
none
Example
or operator for facet
level="info OR warning"
none
fuseql or regular

equal, =

Searches for specified value; exact match.

Syntax
label="value"
@facetName="value”
none
Example
equal operators with facet and label
@http_request_method="POST" and source="nginx"
none
equal example with facet and label

not equal, !=

Searches for values other than the specified value; exact match.

Syntax
label!="value"
@facetName!="value”
none
Example
not equal operators with facet and label
@facetName!="pinot-server" and level!="info"
none
not equal operator with facet and label

greater than, >

Searches for values that are greater than the specified number.

Syntax
@facetName>number
none
Example
greater than operator with facet
@status_1>300 and source="logs-query-service"
none
fuseql greater

greater than or equal, >=

Searches for values that are greater than or equal to the specified number.

Syntax
@facetName>=number
none
Example
greater than or equal operator with facet
@status_1>=200 and source="logs-query-service"
none
fuseql greater equal

less than, <

Searches for values that are less than the specified number.

Syntax
@facetName<number
none
Example
less than operator with facet
@status_1<500 and source="logs-query-service"
none
fuseql less

less than or equal, <=

Searches for values that are less than or equal to the specified number.

Syntax
@facetName<=number
none
Example
less than or equal operator with facet
@status_1<=700 and source="logs-query-service"
none
fuseql less equal

regex, =~

Searches for results that match a specific character pattern.

Syntax
label=~”value”
@facetName=~"value”
none
Example
regex operator with label and facet
availability_zone=~"us" and @partition=~"metadata"
none
fuseql regex

not regex, !~

Searches for results that do not match a specific character pattern.

Syntax
label!~”value”
@facetName!~"value”
none
Example
not regex operator with facet
availability_zone=~"west" and @partition=!~"metadata"
none
fuseql not regex

terms exist, term

Matches complete tokens in the log message body. Terms are based on the tokenized words in the message body. All terms must appear in the log line, in any order. Fast and inexpensive.

Syntax
term
term1 term2 term3
none
Example
term exist
container
none

fuseql terms exist

not terms exist, !term

Excludes log lines that match complete tokens. Terms are determined by tokenization. All terms must appear in the log line, in any order, for the line to be excluded.

Syntax
!term
!term1 term2 term3
none
Example
no term exist
!container
none
fuseql not terms exist

grep, "grep"

Searches for a literal, case-sensitive substring in the log message body. Unlike term, this matches character sequences rather than whole tokens, so it can match partial words and phrases.

Syntax
"expression"
none
Example
grep expression
"forward NR traces payload"
none
fuseql grep

not grep, !"grep"

Excludes log lines containing a literal, case-sensitive substring in the log message body.

Syntax
!"expression"
none
Example
not grep expression
!"forward NR traces payload"
none
fuseql not grep

facet terms exist, ==

Searches to match a specific facet and its value.

Syntax
@facet==”value”
none
Example
facet terms exist
@traceFlags=="1"
none
fuseql facet terms exist

facet terms not exist, !==

Searches to exclude a specific facet and its value.

Syntax
@facet!==”value”
none
Example
facet terms not exist
@traceFlags!=="1"
none
fuseql facet terms not exist

starts with, *~

Searches for labels or facets where the value begins with the specified string.

Syntax
label*~”value”
@facet*~”value”
none
Example
starts with operator for facet and label
kube_container_name*~"recommendation" and @trace_sampled*~"T"
none
fuseql starts with

ends with, ~*

Searches for labels or facets where the value ends with the specified string.

Syntax
label~*”value”
@facet~*”value”
none
Example
ends with operator for facet and label
@resource_service_name~*"service" and agent~*"dog"
none
fuseql ends with

contains, **

Searches for labels or facets where the value contains the specified string.

Syntax
label**”value”
@facet**”value”
none
Example

.contains operator for facet and label

@ids**"9SIQT8TOJO" and kube_deployment**"otel"
none

+ image::fuseql-contains.svg[]

key exists

Searches for the presence of a specific facet, regardless of its value.

Syntax

There is a difference in syntax for the operator between regular search and advanced search.

key exists = “facet”
none
Example
key exists operator for facet
key exists="user_agent_original"
none
fuseql key exists regular