Log search syntax

Learn about log search operators facet data types, and set combinations.

Search operators

Equals

=

Matches exact values for facets.

Not Equals To

!=

Excludes entries where the facet has a specific value.

Greater than

>

Checks if the first facet’s value is greater than the second facet’s value; for numerical facets.

Less than

<

Checks if the first facet’s value is less than the second facet’s value; for numerical facets.

Greater than or equal to

>=

Checks if a numerical facet’s value is greater than or equal to a specified value.

Less than or equal to

<=

Checks if a numerical facet’s value is less than or equal to a specified value.</dd>

NOT

!

Negates a search term.

FacetTermsExist

==

Searches for terms within a facet.

FacetTermsDoNotExist

!==

Negates FacetTermsExist.

Contains

**

Finds logs where a facet value contains the specified text.

Regex

=~

Regular expression equals

Not Regex

!~

Regular expression not equals

StartsWith

*~

Search for a log line that starts with …​

EndsWith

~*

Search for a log line that ends with …​

Search data types

  • String

  • Number

  • Duration

  • Size

  • IP

  • UUID

Sets

  • Unions combine facets using OR logic.

  • Intersections combine facets using AND logic.

Special characters

Our engines search logs that contain a wide range of characters. To ensure accurate results when using special characters like double quotes (") and backslashes (\), you must use proper escaping. Follow these guidelines and properly handle special characters to construct effective search queries that precisely target the logs within your system.

Double quotes

Double quotes, ", perform exact phrase matching within your search queries. To search for a literal double quote character in your logs, you must escape it using a backslash (\) before the quote.

Escape double quotes

Find logs that contain the error message User="Moriarty" logged in at 10am.

You must escape the double quotes around the name of the user, which are part of the error message itself, and must be included in the search. Use the following pattern:

"User=\"Moriarty\" logged in at 10am"

Backslash

Backslash, (\), has a special meaning in search queries because we use it for escaping other characters. To search for a literal backslash character, you must escape it with another backslash (\).

Escape backslash

Find logs that contain a path, such as C:\Users\Moriarty\AppData. Here, the backslashes are part of the path, so you must escape them to perform an exact match. Use the following pattern:

"C:\\Users\\Moriarty\\AppData"

Other special characters

There is no requirement for special handling of other characters, so you can include them directly in the search query, inside the double quotes. This includes characters like commas (,), periods (.), exclamation points (!), and so on.