{"_id":"5826159f6813bd2f007a22a7","parentDoc":null,"user":"5732062ad720220e008ea1d2","project":"56ba46e2ce5d540d00e2d7a7","__v":0,"category":{"_id":"582601f155b1060f00ec4173","project":"56ba46e2ce5d540d00e2d7a7","__v":0,"version":"56ba46e2ce5d540d00e2d7aa","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-11-11T17:37:53.355Z","from_sync":false,"order":1,"slug":"guides","title":"Guides"},"version":{"_id":"56ba46e2ce5d540d00e2d7aa","project":"56ba46e2ce5d540d00e2d7a7","__v":13,"createdAt":"2016-02-09T20:06:58.727Z","releaseDate":"2016-02-09T20:06:58.727Z","categories":["56ba46e3ce5d540d00e2d7ab","5771a6b145c7080e0072927f","5771a72eb0ea6b0e006a5221","5772e5b20a6d610e00dea073","577c3006b20f211700593629","57ae587bca3e310e00538155","57ae593a7c93fa0e001e6b50","57b1f8263ff6c519005cf074","582601f155b1060f00ec4173","582a62857a96051b0070b011","58ebfae58d5a860f00851fb9","590a75a1ec0d5e190095ab38","59e5253fd460b50010237bed"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-11-11T19:01:51.125Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"This guide covers how to use the Search input box located at the bottom of the page in the LogDNA web app.\n\nBefore we begin, keep in mind that searches are performed in conjunction with filters and time queries. Any specified timeframes, sources, apps, and log levels are respected in addition to the search query itself.\n\n## Simple search\n\nThe simplest type of search is a single term string search.\n\n### Include\nTo perform a simple include search, just type the word you want to see in your results.\n```\nhealthcheck\n```\nThis will return all log lines with the word `healthcheck` in them.\n\n### Exclude (NOT)\nTo perform a simple exclude search, prepend a dash to exclude results with that word.\n```\n-healthcheck\n```\nThis will return all log lines that do not contain the word `healthcheck`.\n\n## Compound search\n\nMultiple search terms and operators can help you quickly find a specific set of log lines. Please note that the AND and OR operators are case sensitive and must be entirely capitalized.\n\n### AND operator\nBy default, multiple search terms are AND'd together.\n```\nhealthcheck -successful\n```\nThis will return all log lines that contain the word `healthcheck` and not the word `successful`\n\n### OR operator\nSpecifying the OR operator will return results with either term.\n```\nhealthcheck OR ping\n```\nThis will return all log lines that contain the word `healthcheck` or contain the word `ping`.\n\n### Chained operators\nBy default, adjacent terms are AND'd together first.\n```\nhealthcheck -successful OR ping\n```\nThis will return all log lines with the word `healthcheck` and not the word `successful`, as well as all log lines with the word `ping` in it.\n\n### Parentheses\nTo explicitly specify operator order for your search terms, use parentheses.\n```\nhealthcheck (-successful OR ping)\n```\nThis will return all log lines with the word `healthcheck` and without the word `successful`, as well as all log lines with the word `healthcheck` and with the word `ping`.\n\n## Field search\n\nFor parsed log lines, you can specify a value for a given field in that log line.\n\n### Parsing\n\nWhen a log line is parsed, you can search directly for a specific field value. We currently automatically parse the following types of log lines:\n  * Apache/Nginx\n  * AWS ELB\n  * AWS S3\n  * Cron\n  * HAProxy\n  * Heroku\n  * JSON\n  * Logfmt\n  * MongoDB\n  * Nagios\n  * PostgreSQL\n  * Ruby/Rails\n  * Syslog\n  * Tomcat\n  * Windows Events\n\n\n#### JSON Parsing\nAs long as the log message ends in a `}`, your JSON object will be parsed, even if the JSON object does not span the entire message. If do not want your JSON object to be parsed, you can simply append an additional character after the ending `}` such as `.` a period.\n\nIf your JSON contains a `message` field, that field will be used for display and search in the log viewer. We also parse out (and override any existing) log levels if you include a `level` field.\n\n### Root level field search\nTo search for a field with a particular value, use a colon to separate the field and value.\n```\nresponse:404\n```\nThis will return all parsed log lines with the field `response` with a value of `404`.\n\n### Nested field search\nTo search for a nested field, use periods to separate each nested field.\n```\nuser.id:12345\n```\nThis will return all log lines containing the following key value structure `{ \"user\": { \"id\": 12345 }}` \n\n### Filters\nWith the same field search syntax, you can also set filters directly in the search bar.\n```\nhost:myawesomehost -app:mycoolapp\n```\nThis will return all log lines that originate from the source `myawesomehost` and not from the app `mycoolapp`.\n\n### Metadata\nWith the [REST API](https://docs.logdna.com/docs/api) or [Node.JS library](https://github.com/logdna/nodejs), you can upload a metadata object as part of a log line's context. To search for field values contained in the metadata object, use the `meta` prefix.\n```\nmeta.status_code: 404\n```\nThis will return all log lines containing the context object with the following key value structure `{ \"status_code\": 404}`\n\n## Field comparison operators\nWe support the following comparison operators for numeric parsed fields:\n* =\n* <\n* >\n* <=\n* \\>=\n\n### Field comparison search\n\nTo search for parsed fields matching comparison operators, use a colon followed by the comparison operator.\n```\nresponse:>=400\n```\nThis will return all log lines with the field `response` with values greater than or equal to 400.\n\n### Compound field comparison search\n\nTo form a compound field search query using comparison operators, use a colon followed by parentheses.\n```\nresponse:(>=400 <500 -404)\n```\nThis will return all log lines with the field `response` with values greater than or equal to 400, less than 500, and not 404. \n\n### Case-sensitive field search\n\nTo search for a case-sensitive parsed field, use a colon followed by the equal sign (=).\n```\nname:=camelCasedName\n```\nThis will return all log lines with the field `name` with the case-sensitive string value `camelCasedName`.\n\n### Existence field search\n\nTo search for the existence of a parsed field, use a colon followed by the asterisk (*).\n```\nuser:*\n```\nThis will return all log lines with the field `user`.\n\n### Exact match field search\n\nBy default, we perform a prefix search for all string fields. To search for an exact match for a field value, use `==`.\n```\nname:==bob\n```\nThis will return all lines with the exact name field value of `bob`, and will not match `bobby`.\n\n## Special characters\n\nThere are a few behaviors for special characters to be aware of.\n\n### Spaces\n\nDue to the implicit AND'ing behavior described in the [Compound Search](https://docs.logdna.com/docs/search#section-compound-search) section, searching for strings with spaces in them requires quotes.\n```\n\"job failed\"\n```\nThis will only return log lines with the exact case-insensitive phrase `job failed`.\n\n### Symbols\n\nBy default, if you include a symbol in your query, we will match your query exactly.\n```\n%VARIABLE%\n```\nThis will return all log lines with `%VARIABLE%` in them.\n\n### Colons\nSince the colon is a reserved character for field search, quotes are required when searching for strings with colons in them.\n```\n\"response:\"\n```\nThis will return all log lines with the string `response:` in them.","excerpt":"","slug":"search","type":"basic","title":"Search"}

General

Guides

Integrations

Tools

Platforms

Syslog

Public API

Ingest API

Code Libraries

Help

Search

This guide covers how to use the Search input box located at the bottom of the page in the LogDNA web app. Before we begin, keep in mind that searches are performed in conjunction with filters and time queries. Any specified timeframes, sources, apps, and log levels are respected in addition to the search query itself. ## Simple search The simplest type of search is a single term string search. ### Include To perform a simple include search, just type the word you want to see in your results. ``` healthcheck ``` This will return all log lines with the word `healthcheck` in them. ### Exclude (NOT) To perform a simple exclude search, prepend a dash to exclude results with that word. ``` -healthcheck ``` This will return all log lines that do not contain the word `healthcheck`. ## Compound search Multiple search terms and operators can help you quickly find a specific set of log lines. Please note that the AND and OR operators are case sensitive and must be entirely capitalized. ### AND operator By default, multiple search terms are AND'd together. ``` healthcheck -successful ``` This will return all log lines that contain the word `healthcheck` and not the word `successful` ### OR operator Specifying the OR operator will return results with either term. ``` healthcheck OR ping ``` This will return all log lines that contain the word `healthcheck` or contain the word `ping`. ### Chained operators By default, adjacent terms are AND'd together first. ``` healthcheck -successful OR ping ``` This will return all log lines with the word `healthcheck` and not the word `successful`, as well as all log lines with the word `ping` in it. ### Parentheses To explicitly specify operator order for your search terms, use parentheses. ``` healthcheck (-successful OR ping) ``` This will return all log lines with the word `healthcheck` and without the word `successful`, as well as all log lines with the word `healthcheck` and with the word `ping`. ## Field search For parsed log lines, you can specify a value for a given field in that log line. ### Parsing When a log line is parsed, you can search directly for a specific field value. We currently automatically parse the following types of log lines: * Apache/Nginx * AWS ELB * AWS S3 * Cron * HAProxy * Heroku * JSON * Logfmt * MongoDB * Nagios * PostgreSQL * Ruby/Rails * Syslog * Tomcat * Windows Events #### JSON Parsing As long as the log message ends in a `}`, your JSON object will be parsed, even if the JSON object does not span the entire message. If do not want your JSON object to be parsed, you can simply append an additional character after the ending `}` such as `.` a period. If your JSON contains a `message` field, that field will be used for display and search in the log viewer. We also parse out (and override any existing) log levels if you include a `level` field. ### Root level field search To search for a field with a particular value, use a colon to separate the field and value. ``` response:404 ``` This will return all parsed log lines with the field `response` with a value of `404`. ### Nested field search To search for a nested field, use periods to separate each nested field. ``` user.id:12345 ``` This will return all log lines containing the following key value structure `{ "user": { "id": 12345 }}` ### Filters With the same field search syntax, you can also set filters directly in the search bar. ``` host:myawesomehost -app:mycoolapp ``` This will return all log lines that originate from the source `myawesomehost` and not from the app `mycoolapp`. ### Metadata With the [REST API](https://docs.logdna.com/docs/api) or [Node.JS library](https://github.com/logdna/nodejs), you can upload a metadata object as part of a log line's context. To search for field values contained in the metadata object, use the `meta` prefix. ``` meta.status_code: 404 ``` This will return all log lines containing the context object with the following key value structure `{ "status_code": 404}` ## Field comparison operators We support the following comparison operators for numeric parsed fields: * = * < * > * <= * \>= ### Field comparison search To search for parsed fields matching comparison operators, use a colon followed by the comparison operator. ``` response:>=400 ``` This will return all log lines with the field `response` with values greater than or equal to 400. ### Compound field comparison search To form a compound field search query using comparison operators, use a colon followed by parentheses. ``` response:(>=400 <500 -404) ``` This will return all log lines with the field `response` with values greater than or equal to 400, less than 500, and not 404. ### Case-sensitive field search To search for a case-sensitive parsed field, use a colon followed by the equal sign (=). ``` name:=camelCasedName ``` This will return all log lines with the field `name` with the case-sensitive string value `camelCasedName`. ### Existence field search To search for the existence of a parsed field, use a colon followed by the asterisk (*). ``` user:* ``` This will return all log lines with the field `user`. ### Exact match field search By default, we perform a prefix search for all string fields. To search for an exact match for a field value, use `==`. ``` name:==bob ``` This will return all lines with the exact name field value of `bob`, and will not match `bobby`. ## Special characters There are a few behaviors for special characters to be aware of. ### Spaces Due to the implicit AND'ing behavior described in the [Compound Search](https://docs.logdna.com/docs/search#section-compound-search) section, searching for strings with spaces in them requires quotes. ``` "job failed" ``` This will only return log lines with the exact case-insensitive phrase `job failed`. ### Symbols By default, if you include a symbol in your query, we will match your query exactly. ``` %VARIABLE% ``` This will return all log lines with `%VARIABLE%` in them. ### Colons Since the colon is a reserved character for field search, quotes are required when searching for strings with colons in them. ``` "response:" ``` This will return all log lines with the string `response:` in them.