Platform
Solution
Industry
Role
There is no result.

Log Query Filters

Last updated - 10 November, 2025

The query bar in LM Logs enables users to filter log data with precision and flexibility by using LogicMonitor Query Language (LMQL) or Natural Language inputs . It enables rapid troubleshooting and log investigation, from diagnosing failed authentications to identifying system reboots or failed backups. It supports filtering by fields like _messageseverity_resource.name, and custom log fields, using Boolean operators, regex patterns, and time-scoping. 

LM Logs query bar

The query bar enables you to filter, analyze, and narrow down logs using:

  • Natural Language Filter
    The natural language filter enables you to type intuitively and LogicMonitor automatically suggests the structured query equivalent. 
    For example, start typing something like:“error logs from app server today”“login failure in the last hour”LM automatically suggests the LMQL translation: severity=”ERROR” AND _message =~ “login failure”

Note: Use natural language filters for quick exploration. For recurring or complex queries, use structured LMQL for reproducible results.

  • Structured Query Syntax (LMQL)
    This is LogicMonitor’s Logs Query Language, built for precision filtering.
    It supports the following:
    • Field-based filters (for example, severity="ERROR")
    • Boolean operators (ANDORNOT)
    • Regular expressions (=~!~)
    • Time-based filters (for example, _time > now() - 1h

For more information, see https://www.logicmonitor.com/support/writing-a-filtering-query.

Once you run a query either using anatural language filter or LMQl, you can save it as a Saved View. Saved views store your filters and time range so you can return to the same log context later. All Saved Views are displayed in the Manage Saved Filters panel, organized by Group Type. 

You can organize saved queries into the following groups:

  • Private folder stores all personal queries and are visible only to the logged user.
  • Public folder stores queries visible to all LM Logs users in the portal. Public queries can be published by LogicMonitor or by customer admins.
  • Shared folder stores queries shared with users who have access to the same role or scope.folder stores queries shared with selected users or teams.
Manage Saved Filters panel

These Log Query Groups act as folders or categories for related saved views. These groups help streamline access across teams, whether it is organizing by environment (for example, “Production vs. Dev”), by use case (for example, “Security Events”, “App Errors”), or by system type (for example, “Windows”, “Firewall”, “Cloud”).

Requirements for Creating a Log Query Filter

To create, save, or manage log query filters, you need the following:

  • Queries must return valid results that include at least one groupable field.
  • Your account must include an LM Logs license.
  • You must have read access to at least one device log or deviceless log.

Creating a Log Query Filter

  1. In LogicMonitor, navigate to Logs.
  2. To create a log query filter, you can do one of the following:
    • To leverage the natural language filter:
      1. Enter descriptive text such as “errors from app server in the last 24 hours” in the Natural Language Query bar.
      2. Select Get Query.
    • To enter a formal query using the LMQL syntax language:
      1. Enter a formal query using field names and operators in the Query bar.
  3. Select Run Query.
  4. When the results display, select the Save view<Astra icon>.
  5. In the Save View modal, enter the following:
    1. Enter a Name for the view.
    2. Select the appropriate Group Type to determine the visibility level of the saved view; you can choose between PrivatePublic, or Shared.
    3. Specify the Group Name, which identifies the query group where the view is stored.
    4. Select Save as new view.
  6. The saved view appears in the Views dropdown and is filed under the tab matching the Group Type you selected in Manage Saved Filters panel.

Note: By default, the saved view is added to the Private group and is marked as a favorite.

Updating a Saved Log Query View

  1. In LogicMonitor, navigate to the Logs page.
  2. From the Views dropdown, select the saved view you want to update.
    The query of the selected view appears in the query bar.
  3. Modify the query in the query bar and select Run Query.
    Ensure the query is executed successfully before saving.
  4. Select Save view….
  5. In the Save View modal, confirm the NameGroup Type, and Group Name.
    Updating a Log Saved Query
  6. Select Update.
  7. To create a new view instead of updating the existing one, rename the view before saving and select Save as new view.
    Renaming a Log Saved Query

Managing Saved Log Queries

  1. In LogicMonitor, navigate to Logs.
  2. Select the Views dropdown, then select Manage Saved Filters.
    Managing a Saved Log Query
  3. In the panel, locate the view to manage and select More options more options icon.
  4. Choose one of the following actions:
    • Select Copy Link URL to copy a shareable link to the view.
    • Select Rename to update the saved view name.
    • Select Duplicate to clone the view and assign it to another group.
    • Select Copy to shared to make a query available to other users or teams within the same LogicMonitor portal who share a common role or resource scope.
    • Select Copy to Public to publish a query to the Public query library, making it visible to all LM Logs users across the portal.
    • Select Track Query to convert the view into a tracked query.
    • Select Move to assign the view to a different query group.
    • Select Export to download the configuration as a JSON file.
    • Select Delete to delete the saved view.
      Manage options for saved filters

Creating a Log Query Group

Log query groups organize saved views into logical folders.

  1. In LogicMonitor, navigate to Logs.
  2. Select the Views dropdown and then Manage Saved Filters.
  3. In the panel, select add icon Add new Group.
    Add new Group modal
  4. In the dialog box, enter a Group Name and Description.
  5. Select Save.

Note: The group naming rules are as follows:

  • The group name cannot be root or Ungrouped.
  • Maximum name length: 32 characters.
  • Allowed characters: alphanumeric and underscores (_).
  • The name cannot start or end with an underscore or begin with a number.
  • Maximum description length: 1024 characters.

Managing a Log Query Group

  1. In LogicMonitor, navigate to Logs.
  2. Select the Views dropdown and then Manage Saved Filters.
  3. Locate the group to manage and select more optionsMore options.
    More Options for Managing Log Query Groups
  4. From the menu, select one of the following actions:
    • Select Favorite all to mark favorites in bulk.
    • Select Unfavorite all to clear favorites in bulk.
    • Select Edit group to update the group name or description.
    • Select Delete group to remove the group after all views are moved or deleted.
    • Select Duplicate group to create an exact copy of an existing log query group, including all saved views within it.
    • Select Export group to export saved views to a JSON file.
    • Select Import group to mport saved views from a JSON file.

Editing a Group

You can edit an existing log query group to update its name or description.

To edit a group, do the following:

  1. In the panel, locate the group you want to update.
  2. Select the More options (⋮) next to the group name.
  3. From the menu, select Edit group.
  4. In the Edit Group modal, do the following:
    • Enter a new Group Name if you want to rename the group.
    • Enter or update the Description to clarify the group’s purpose or scope.
      Editing a group modal
  5. Select Save to apply your changes.

Deleting a Group

You can delete a log query group that is no longer needed. Before deleting, ensure that all saved views within the group are either moved to another group or deleted.

To delete a group, do the following:

  1. In the panel, locate the group you want to remove.
  2. Select the More options (⋮) next to the group name.
  3. From the menu, select Delete group.
  4. A confirmation dialog appears. Review the warning message.
    Deleting a group dialog box
  5. Select Delete.

Note: Once a group is deleted, it cannot be recovered. Any saved views not moved to another group before deletion are also permanently removed.

Duplicating a Group

You can duplicate an existing log query group to create a copy of its structure and contents. This is useful when you want to reuse a group of saved queries in a different environment, share them with another team, or create a test version without altering the original group.

To duplicate a group, do the following:

  1. In the panel, locate the group you want to duplicate.
  2. Select the More options (⋮) next to the group name.
  3. From the menu, select Duplicate group.
  4. In the Duplicate Group modal, review or update the suggested group name (a numerical suffix, such as _1, is automatically added).
  5. (Optional) Update the Description to reflect the purpose of the new group.
    Duplicating saved filter modal
  6. Select Save.

The duplicated group will appear in the Manage Saved Filters panel with all the saved queries, filters, and configurations from the original group.

14-day access to the full LogicMonitor platform