Querying Logs

There are two major ways to search for logs. You can use SQL syntax or full text search. You can toggle between the two modes from the search page.

SQL

Here is an example SQL query selecting specific JSON fields:

SELECT
    "timestamp",
    json_extract(logs.msg, '$.Data.method') AS method,
    json_extract(logs.msg, '$.Data.request_uri') AS request_uri,
    json_extract(logs.msg, '$.Data.user_agent') AS user_agent,
    json_extract(logs.msg, '$.Data.addr') AS addr
FROM logs
WHERE json_valid(msg) AND request_uri LIKE '%/account%'
ORDER BY "timestamp" DESC
LIMIT 2001;

SQL queries support syntax highlighting and a pretty-print button to format your query.

Full Text Search

You can also use full text search. FTS results are ordered by timestamp descending by default.

Examples:

• water will search for the term “water”
• "light beer" will search for the phrase
• description:water will look for water in the description JSON field
• /light (beer|wine)/ will perform a regular expression against the terms
• description:/wat.*/ it works on JSON fields too
• +description:water -light beer will perform a query that MUST satisfy the term water in the description field, MUST NOT satisfy query for the term light, and SHOULD satisfy the query for the term beer

FTS results support pagination and matched search terms are highlighted in the results.

Multi-Source Search

You can search across all log sources at once. This is useful for correlating events across different services or servers.

Field Extraction

When viewing log results, Central Logging can automatically discover and extract JSON fields from your log messages. You can filter results by clicking on discovered field values (Splunk-like field:value syntax).

Saved Queries

Save frequently used searches for quick access. Saved queries store the query text, query type (SQL or FTS), the log source, and any field extraction configuration.

CSV Export

Export your search results to CSV format from the search page.

Context View

Click on any log entry to expand it and view surrounding log entries. Use “search around this time” to open a new search tab centered on a specific timestamp with a configurable time window.

Log Tailing

Stream new logs from a source in real-time as they arrive.

Search Tabs

Keep multiple searches open simultaneously using search tabs. Search state is synced to the URL so you can share links to specific searches.

Keyboard Shortcuts

Press ? on the search page to see all available shortcuts:

• / — Focus the search input
• Ctrl+Enter — Run the query
• j / k — Navigate up/down through results
• Enter — Expand the selected result
• n / p — Next/previous page
• t — Open the time range picker