The Advanced Query Builder is being introduced as an enhancement to improve filtering capabilities within the Logs Page. The existing traditional query builder lacks support for logical operators like AND and OR, limiting users to basic attribute-value filtering.
Users can switch to Advanced Query Mode for more complex filtering.
Supports multiple operators to refine log searches effectively.
Affects the Logs Explorer Page, Log Alerts, Metric Definitions, Live Tail, and Log Tiles in Dashboards.
Label search helps users filter logs by specific label values using different operators. Users define a label, choose an operator, and assign a value to create queries that refine log searches.
The following are details of various operators and query functions.
Basic Syntax
The standard format for label search queries follows:
Supported Operators
Equals (=)
Example: source = "agent"
Matches logs where the source is exactly "agent".
Not Equals (!=)
Example: source != "agent"
Matches logs where the source is not "agent".
Regex Match (=~)
Example: source =~ "agent"
Matches logs where the source matches the regex pattern "agent".
Not Regex Match (!~)
Example: source !~ "agent"
Matches logs where the source does not match the regex pattern "agent".
Combining Multiple Filters
Logical operators allow users to create more refined queries:
AND (| or AND)
Example: source = “agent” | level != "debug"
OR
source = “agent” AND level = "error"
Matches logs where both conditions are true.
OR (OR)
Example: source = “agent” OR source = "kubernetes"
Returns logs where the source is either “agent” or "kubernetes".
Grouping with Parentheses
Example: source = "agent" AND (level = "error" OR level = "warn")
Returns logs where the source is "agent" and the level is either "error" or "warn".
Using the IN and NOT IN Operators
These operators allow checking against multiple values, supporting both plain strings and regex patterns:
Match Exact Values
Example: source IN ("aws", "azure", "agent")
Matches logs where the source is "aws", "azure", or "agent".
Exclude Specific Values
Example: source NOT IN ("aws", "azure", "agent")
Excludes logs where the source is "aws", "azure", or "agent".
Regex Patterns
Example: source IN ("a.*")
Matches any source starting with "a " (e.g., "aws", "agent").
Exclude Using Regex
Example: source NOT IN ("a.*", "syslog")
Excludes logs where the source starts with "a " or is exactly "syslog ".
Note
- Values inside IN and NOT IN can be either plain strings or regular expressions.
- The IN operator is supported in Log Explorer, Alerts page, Metric page, and the Sear Logs API.
Using groupBy in the Advanced Query Builder
The groupBy function enables users to group logs by one or more fields, primarily for count-based aggregations. It is only supported in:
Log Tile (on the dashboard)
Log Metrics
If used elsewhere, the function will be ignored.
Example Usage
groupBy(source, level)
- Groups logs by source and level, counting entries for each unique combination.
More Query Examples
container_name IN ("logs-* ", "traces-*") AND container_name != "logs-query" AND level IN ("error" "fatal")
- Matches logs where:
- container_name matches "logs-" or "traces-".
- container_name is not "logs-query".
- level is "error" or "fatal".
source = "kubernetes" AND level != "debug"
- Matches logs from Kubernetes where the level is not "debug".
source IN ("agent", "syslog") AND message =~ "timeout"
- Matches logs where the source is either "agent" or "syslog", and the message contains "timeout" (regex).
env = "prod" AND (level = "error" OR level = "warn")
- Returns production logs where the level is either "error" or "warn".
container_name =~ "api-.*" AND level IN ("info", "error") AND message !~ "health"
- Matches logs where:
- container_name starts with "api-".
- level is "info" or "error".
- message does not contain "health".
service != "auth-service" OR status_code = "500"
- Matches logs where:
- The service is not "auth-service", or
- The status_code is "500".