Support Center Home


Logs Search Cheatsheet

This cheatsheet usage provides tips for the LM Logs query language.

Reserved fields

LogicMonitor reserved fields are indicated by a leading underscore. If you’re not sure what to search for, you can always start by typing a underscore into the query bar to see the list of reserved fields.

Autocomplete suggestions for reserved fields
Field Description
_alert.severity The severity level of alerts, which can be warning, error, critical.
_anomaly.type The type of anomaly detected, such as never_before_seen.
_message The message field of the log. If a field name is not specified, the _message field is the default search field.
_resource.group The full path of the resource group.
_resource.group.id The resource group ID or device group ID. Note: These values may not be provided by autocomplete.
_resource.group.name The name of the resource group, which is the part of the full path after the last front slash.
_resource.id The resource ID or device ID. Note: These values may not be provided by autocomplete.
_resource.name The name of the resource or device.

Logical operators

Searching with logical operators supports NOT, AND, and OR to combine filters.

Operator Description Example
AND Search for logs that contain all of the fields and values specified. _resource.name=winserver01 AND type=winevents

Displays all logs associated with winserver01 and also contains winevents in the type field.
OR Search for logs that contain one or more of the fields and values specified. _resource.group.name="Linux Servers" OR _resource.name~linux

Displays all logs for resources in the “Linux Servers” Resource Group or any resource that contains “linux” in the Resource Name.
NOT Search for logs except any of the fields or values specified. NOT _resource.name=winserver01

Displays all logs from any resource except winserver01.

Pattern matching

Keyword match

Any free text search will search only the raw log message for matches.

Query Description Example
keyword Searches and displays only logs where the keyword is found in the message field. Use when you want to search all log messages for a string or value.

This works the same way as previous LogicMonitor Logs keyword search.
error

Only logs that contain error in the message field will be displayed in the logs table.

Exact match

Returns events if the pattern exactly matches the field value.

Query Description Example
field=word Searches and displays only logs where field has the value word.

Use when you know the exact value you want to match
_resource.name=winserver01

Only logs associated with resource “winserver01” will be displayed in the logs table.
field=word1,word2,word3 Searches and displays only logs where field has the value word1 OR word2 OR word3. The commas represent an OR operator.

Use when there are multiple exact values you want to match.
_resource.name=winserver01,winserver02,winserver03

Only logs associated with resources “winserver01”, “winserver02”, or “winserver03” will be displayed in the logs table.
field="word with special characters" Uses double quotes to capture a special character in the field value. Finds all logs where field equals “word with special character”.

Use when you know the exact value and the value includes a special character. Double quotes are required when there are special characters, such as a hyphen or a whitespace, in the pattern. The non-special characters set is [a-zA-Z0-9*].
_resource.name="win-server01"

Only logs associated with resource “win-server01” will be displayed in the logs table.

Fuzzy match

Returns events using glob expressions to match similar field values. Fuzzy matching is not case sensitive.

Query Description Example
field~word Searches and displays only logs where field contains word.

Use when you want to don’t want an exact match and want a fuzzy match.
_resource.name~winserver01

Only logs associated with resources that contain “winserver” will be displayed, this includes “winserver01”, “winserver02”, “winserver03”, “winserver03west”, and so on.
field~word1,word2,word3 Searches and displays only logs where field contains any of word1 OR word2 OR word3. The commas represent an OR operator.

Can use when you want fuzzy match on multiple values.
_resource.name~winserver,linuxserver,firewall

Only logs associated with resources that contain “winserver”, “linuxserver”, “firewall”, etc. will be displayed. This includes resources such as “winserver01east”, “winserver03west”, “nonprodserver”, and so on.
field~"word with special characters" Uses double quotes to capture a special character in the field value. Finds all logs where the field contains “word with special character”.

Double quotes are required when there are special characters, such as a hyphen or a whitespace, in the pattern. The non-special characters set is [a-zA-Z0-9*].
_resource.name~"win-server01"

Only logs associated with resources that contain “win-server01” will be displayed, this includes “win-server01”, “win-server01-east”, “win-server01-west”, and so on.

Regex match

Returns events using regular expressions to match field values. Regular expressions need to be put inside of front slashes, / /.

Query Description Example
/regex/ Searches and displays logs where the message field contains the regular expression.

Use when you want to find logs that contain certain structures (such as an IP address, unique identifier, and so on.)
/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/

Only logs that contain an IP address in the message field will be displayed.

/\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b/

Only logs that contain a unique identifier structure will be displayed.
field~/regex1/,/regex2/ Searches and displays logs where field contains any of regex1 OR regex2 expressions.

Use when you want a regex match on multiple values.

Troubleshooting

Parsing errors

If there is a parsing error with your query, it may be caused by incorrect syntax.

  1. Check that all patterns that have special characters in the pattern are surrounded by double quotes.
  2. If there are double quotes, check that they are the correct double quote characters: “”
  3. Check that regular expression patterns include properly escaped characters within the “/ /”.

Timeout errors

For raw logs, the timeout is 2 minutes. A timeout may occur when the time range for the search is too long, such as 30 days, and depends on the volume of ingested logs that you are searching. If the search has a timeout error, we recommend decreasing the time range.

In This Article