Writing a Filtering Query
Last updated on 10 January, 2023Use the query bar on the Logs page to write the query to filter your logs.
If you don’t know where to start, type an underscore into the query bar. Autocomplete will show a list of LogicMonitor reserved fields, such as resource names, resource groups, log alert severity, anomaly type, and so on.
The filtering query can include fields and values combined with logical operators.
Pattern Matching
The query language is flexible and supports a few different ways to help you filter and narrow down your search for logs: keywords, exact match, fuzzy match, and Regex match.
| Expression | Description |
| Keywords | A keyword search will search the log message field and return the logs that contain the specified word or phrase. |
| Exact match | Searches for a field=value pair will return logs where the field has the exact value that is specified. |
| Fuzzy match | If you don’t want an exact match, you can define a fuzzy match pattern using glob expressions to describe the value. Fuzzy matching is not case sensitive. |
| Regex match | You can use regular expressions to define a pattern to match. Regular expressions need to be put inside of front slashes. |
Logical Operators
You can use the logical operators AND, OR, and NOT to combine multiple filters to narrow your search for logs. Autocomplete will suggest logical operators after you enter a complete keyword or field=value pair.
| Operator | Description |
| NOT | Search for logs except any of the keywords or filters specified. |
| AND | Search for logs that contain all the keywords and filters specified. |
| OR | Search for logs that contain one or more of the keywords and filters specified. |
For more information on search operators, see Advanced Search Operators.
Examples
The following examples illustrate the syntax for searching and filtering logs with the query language. For more usage examples, see Logs Search Cheatsheet.
Example 1: Exact Match
Return logs from resources named “winserver01” or “win-server01” if their message field contains the keyword “error”.
error AND _resource.name=winserver01,"win-server01"An alternate way to write this search is:
error AND ( _resource.name=winserver01 OR _resource.name="win-server01" )Example 2: Fuzzy Match
Return logs from any resource that contains the word “linux” in its name if the message field contains the keyword “Invalid login”.
"Invalid login" AND _resource.name~linuxExample 3: Groups and Subgroups
The following examples show searching groups and subgroups. These examples assume that you have access to groups with the full path “Pods/p02.prod” and “Kubernetes Cluster: services/p01-us-west”.
To search logs for all its subgroups and direct devices:
_resource.group~/Pods\/p02.prod($|\/)/To search logs only for its direct devices:
_resource.group="Pods/p02.prod"To search logs by the group name, regardless of the parent group:
_resource.group.name~"p01-us-west"Note: Regular expressions are used for queries with ~. Therefore the resulting output requires more computing resources and may take longer to complete.
Example 4: Non-reserved Fields
You can query non-reserved fields using the field name (including nested field names). For example, to search for GET requests, you would use the query:
method=GET