Support Center Home

Writing a Filtering Query

Use the query bar to write the query to filter your logs.

Autocomplete for reserved fields

If you don’t know where to start, type an underscore into the query bar. Autocomplete will show a list of the LogicMonitor reserved fields, such as resource names, resource groups, log alert severity, anomaly type, and so on. 

The filtering query can include fields and values combined with logical operators.

Pattern matching

The query language is flexible and supports a few different ways to help you filter and narrow down your search for logs: keywords, exact match, fuzzy match, and regex match.

Expression Description
Keywords A keyword search will search the log message field and return the logs that contain the specified word or phrase.
Exact match Searches for a field=value pair will return logs where the field has the exact value that is specified.
Fuzzy match If you don’t want an exact match, you can define a fuzzy match pattern using glob expressions to describe the value. Fuzzy matching is not case sensitive.
Regex match You can use regular expressions to define a pattern to match. Regular expressions need to be put inside of front slashes.

Logical operators

You can use the logical operators AND, OR, and NOT to combine multiple filters to narrow your search for logs. Autocomplete will suggest logical operators after you enter a complete keyword or field=value pair.

Operator Description
NOT Search for logs except any of the keywords or filters specified.
AND Search for logs that contain all the keywords and filters specified.
OR Search for logs that contain one or more of the keywords and filters specified.

Examples

The following examples illustrate the syntax for searching and filtering logs with the query language. For more usage examples, see Logs Search Cheatsheet.

Example 1: Exact match

Return logs from resources named “winserver01” or “win-server01” if their message field contains the keyword “error”.

error AND _resource.name=winserver01,"win-server01"

An alternate way to write this search is: 

error AND ( _resource.name=winserver01 OR _resource.name="win-server01" )

Example 2: Fuzzy match

Return logs from any resource that contains the word “linux” in its name if the message field contains the keyword “Invalid login”.

"Invalid login" AND _resource.name~linux

Example 3: Groups and subgroups

The following examples show searching groups and subgroups. These examples assume that you have access to groups with the full path “Pods/p02.prod” and “Kubernetes Cluster: services/p01-us-west”.

To search logs for all its subgroups and direct devices:

_resource.group~/Pods\/p02.prod($|\/)/

To search logs only for its direct devices:

_resource.group="Pods/p02.prod"

To search logs by the group name, regardless of the parent group:

_resource.group.name~"p01-us-west"

Example 4: Non-reserved fields

You can query non-reserved fields using the field name (including nested field names). For example, to search for GET requests, you would use the query:

method=GET

In This Article