Comment on page
Query Syntax
Here is how you search through your log events
In Scanner, a log event is a collection of key-value pairs called fields. In a field, the key is always a string, and the value may be either a string or a number.
For example, if you use Scanner's Elasticsearch Bulk Upload API to ingest logs, a log event document that you upload might look like this:
{
"message": "INFO - Successfully added item. item_id=817343 shopping_cart_id=1842101",
"elapsed_secs": 0.132,
"status_code": 200,
"kubernetes": {
"container_name": "shopping_cart_api",
"pod_name": "app-3"
},
"@scnr": {
"context_fields": "container_name,pod_name"
}
}
And the resulting Scanner log event would look like this:
message: "INFO - Successfully added item. item_id=817343 shopping_cart_id=1842101"
elapsed_ms: 79
status_code: 200
kubernetes.container_name: "shopping_cart_api"
kubernetes.pod_name: "app-3"
@scnr.context_fields: "container_name,pod_name"
Type in free-form text to search for hits. By default, search is case insensitive for ASCII characters, so these match the same lines.
info successfully added
INFO Successfully added
By default, tokens are matched separately, so these match the same lines.
info successfully added
info added successfully
added and info and successfully
Use single-quotes if you need to match a single string containing spaces (or if you need to match the
: character, the words and, or, not, etc).'info - item not added'
'info - successfully added item and committed transaction'
Use double-quotes for exact, case-sensitive substring matching.
"item_id=817343"
"INFO - Successfully added item"
Use
* for wildcard searches. You can use \* to match the actual asterisk character instead.app-*
*@protonmail.com
'andrew j*son'
"This sentence contains an actual asterisk: \*"
Use
column: value to search for value in column column.message: info added
message: 'info - successfully added item'
message: "INFO - Successfully added item"
kubernetes.pod_name: app-*
email: *@protonmail.com
current_president: 'andrew j*son'
A query match will always start and stop on a whole token, and will never start or stop in the middle of one:
alwill match "Al Sharpton", but not "Walt Whitman", "Alan Turing", or "Hannibal Lecter".al*will match "Al Sharpton" and "Alan Turing", but not "Walt Whitman" or "Hannibal Lecter".al*nwill match "Alan Turing" and "Albert Einstein", but not "Walt Whitman".
You can use escape sequences for certain characters. These work in all strings.
Escape sequence | Character |
|---|---|
\" | double quote " |
\' | single quote ' |
\* | asterisk * |
\\ | backslash \ |
\/ | forward slash / |
\b | backspace U+0008 |
\f | form feed U+000C |
\n | line feed U+000A |
\r | carriage return U+000D |
\uXXXX | unicode character U+XXXX |
If your log events have number fields, you can look for exact matches or inequalities.
elapsed_ms: 79
elapsed_ms <= 100
elapsed_ms > 100
Scanner supports boolean queries using
and, or, and not. These are case-insensitive.kubernetes.container_name: "shopping_cart_api" and elapsed_ms > 50
elapsed_ms > 10 AND NOT status_code >= 400
message: "shopping_cart_id=1842101" or message: "item_id=817343"
You can use parentheses to specify order of operations.
(message: "item_id=817343" or message: "item_id=25134") and elapsed_ms > 50
If parentheses aren't used, then
not has highest precedence, then and, then or, so these two queries are identical.elapsed_ms > 10 and not status_code >= 400 or message: "item_id=817343"
(elapsed_ms > 10 and (not status_code >= 400)) or message: "item_id=817343"