Skip to content

Searching for Logs#

The primary use case for log-store is enabling the ability to quickly find relevant logs. log-store uses an intuitive search query language for finding logs.

Basic Search Syntax#

The basic syntax for a search is as follows:

[0-9][mhd] [limit] [field (=|~|!=|!~|<|≤|>|≥) value] | command

The search query specifies a time range, optional limit, optional fields to search, and commands to further manipulate, and finally display the results.

Time Range#

There are 3 different ways to specify the time range: relative, absolute start, and absolute start and end. 1. Relative time is specified by a negative sign - followed by a number followed by a time unit: m (minutes), h (hours), d (days). For example -1d would search for any logs from now until one day ago. 2. An absolute start time is either a time hh:mm[:ss] with optional seconds, or a date and time: mm/dd/yyyy or yyyy-mm-dd hh:mm[:ss]. Searches will return results after the specified start time of the current day, or the date and time. 3. An absolute start and end is the same as the absolute start listed above, but with the word to between the start and end. Example: 3:00 to 12/31/1999 12:00 would return any logs between 3 o’clock on the current day and noon on the last day of 1999.

Limit#

Log-store will only return a certain number of results, regardless of how many match your query. This is mostly to protect your browser from being overloaded by results. The default limit is 50 results. However, you can specify any number of results to return. If you specify more than 1000 results, your browser will probably lock up trying to display all the results.

Search Conditions#

Most of the searching for logs will leverage specifying fields and values to narrow down the results. Values for field are specified by using one of the comparison symbols:

  • = equals
  • != not equals
  • ~ regular expression
  • !~ regular expression not-matching
  • < less than
  • <= less than or equal
  • > greater than
  • >= greater than or equal

All search conditions are logically ANDed together. Values for conditions can be specified in an array, and are ORed together. For example, the following search query will look for logs where the method field is POST, and the resp_code field is a 200 or 204: 1h method = POST resp_code = [200, 204]

Commands#

Commands are used to modify the results of a search, and finally how the results are displayed. Commands always come after the search query. The end of the search query is denoted with a pipe (|) symbol. This is much like a Unix/Linux shell. You can think of log entries as being passed through a pipe from one command to the next. A full list of commands can be found in the Search Query Commands section.