Search Syntax
LTS provides a set of search syntax for setting search criteria, helping you search for logs more effectively.
- Before using the search syntax, set the delimiters in Index Settings. If there is no special requirement, use the default delimiters , '";=()[]{}@&<>/:\n\t\r.
- The search syntax does not support search by delimiter.
Search statements do not support delimiters. For example, in the search statement var/log, / is a delimiter. The search statement is equivalent to var log and is used to search for all logs that contain both var and log. Similarly, the search statements such as "var:log" and var;log are used to search for all logs that contain both var and log.
This function is available only in regions AF-Johannesburg, AP-Singapore, CN-Hong Kong, CN East-Shanghai1, LA-Mexico City1, LA-Mexico City2, LA-Santiago, and LA-Sao Paulo1.
Search Mode
The search statement is used to specify the filter criteria for log search and return the logs that meet the filter criteria.
Depending on the index configuration mode, it can be classified into full-text search and field search; according to the search accuracy, it can be classified into exact search and fuzzy search. Other types of search modes include range search and phrase search.
Search Mode |
Description |
Example |
---|---|---|
Full-Text Search |
LTS splits an entire log into multiple keywords when full-text index is set.
NOTE:
|
The preceding search statements have the same function, indicating that logs containing both GET and POST are searched. |
Field Search |
Search for specified field names and values (key:value) after field indexing is configured. You can perform multiple types of basic search and combined search based on the data type set in the field index.
NOTE:
|
|
Exact Search |
Use exact words for search. LTS searches with word segmentation, which does not define the sequence of keywords.
NOTE:
If the search statement is abc def, all logs that contain both abc and def are matched. Logs abc def or def abc are matched. To ensure the sequence of keywords, use #"abc def". |
|
Fuzzy Search |
Specify a word in the search statement and add a fuzzy search keyword, that is, an asterisk (*) or a question mark (?), to the middle or end of the word. LTS searches for the word that meets the search criteria and returns all logs that contain the word.
NOTE:
|
|
Search Scope |
The long and float data supports range search.
|
|
Phrase Search |
Phrase search is used to fully match target phrases in logs to ensure the sequence in which keywords appear.
NOTE:
Fuzzy search is not supported for phrase search. |
#"abc def" indicates that the system searches all logs for the logs that contain the target phrase abc def. |
- Delimiters
LTS splits the log content into multiple words based on delimiters. Default delimiters include ,'";=()[]{}@&<>/:\n\t\r and spaces.
For example, the default delimiter divides the log 2023-01-01 09:30:00 into four parts: 2023-01-01, 09, 30, and 00.
In this case, the search statement 2023 cannot match the log. You can search for the log using 2023-01* or 2023-01-01.
If the delimiter is set to null, the field value is regarded as a whole. You can search for the corresponding log only through complete log content or fuzzy search.
- Keyword sequence
Only the phrase search #"abc def" can ensure the sequence of keywords. In other search modes, multiple keywords are connected by AND.
For example, request_method:GET POST is used to query logs that contain both GET and POST, and the sequence of GET and POST is not ensured. Phrase search is recommended.
- Chinese search
Fuzzy search is not required for Chinese search. Phrase search is recommended to match more accurate results.
In LTS, English content is solit into words of different lengths. Therefore, you can use fuzzy search to match logs with English words with the same prefix.
Unigram segmentation is used to a Chinese string into Chinese characters. Each Chinese character is independent, and the length of each part is 1 character.
For example, the search statement Monday indicates that logs containing M, o, n, d, a, and y are searched. The search statement #"Monday" indicates that logs containing the target phrase Monday are searched.
- Invalid keyword
The syntax keywords of log search statements include: && || AND OR and or NOT not in : > < = ( ) [ ]
When and AND or OR NOT not in are used as syntax keywords, separate them with a space.
If the log contains syntax keywords and needs to be searched, the search statement must be enclosed in double quotation marks. Otherwise, syntax errors may occur or incorrect results may be found.
For example, if the search statement content:and contains the syntax keyword and, change it to content:"and".
Operator
The search statement supports the following operators:
- Except the in operator, other operators are case-insensitive.
- The priorities of operators in descending order are as follows:
- Colon (:)
- Double quotation marks ("")
- Parentheses: ()
- and, not
- or
Operator |
Description |
---|---|
and |
AND operator. If there is no syntax keyword between multiple keywords, the AND relationship is used by default. For example, GET 200 is equivalent to GET and 200.
NOTE:
When and is used as an operator, use a space before and after it. For example, 1 and 2 indicates that logs containing both 1 and 2 are searched, and 1and2 indicates that logs containing 1and2 are searched. |
AND |
AND operator, equivalent to and. |
&& |
AND operator.
NOTE:
When && is used as an operator, spaces are not necessary. For example, 1 && 2 is equivalent to 1&&2, indicating that logs containing both 1 and 2 are searched. |
or |
OR operator, example: request_method:GET or status:200
NOTE:
When or is used as an operator, use a space before and after it. |
OR |
OR operator, equivalent to or. |
|| |
OR operator. When || is used as an operator, spaces are not necessary. |
not |
NOT operator. Example: request_method:GET not status:200, not status:200
NOTE:
|
( ) |
Specify fields that should be matched with higher priority. Example: (request_method:GET or request_method:POST) and status:200 |
: |
Search for a specified field (key:value). For example, request_method:GET.
NOTE:
Use double quotation marks ("") to enclose a field name or value that contains reserved characters, such as spaces and colons (:). Example: "request method":GET, message:"This is a log" |
"" |
Enclose a syntax keyword to convert it into common characters. For example, "and" means searching for logs that contain this word. The word and here is not an operator. |
\ |
Escape double quotation marks (""). The escaped quotation marks indicate the symbol itself. For example, to search for instance_id:nginx"01", use instance_id:nginx\"01\". |
* |
An asterisk can match zero, single, or multiple characters. Example: request_method:P*T
NOTE:
Put it in the middle or at the end of a keyword. |
? |
A question mark matches a single character. For example, request_method:P?T can match PUT but cannot match POST.
NOTE:
Put it in the middle or at the end of a keyword. |
> |
Searches logs in which the value of a field is greater than a specified value. Example: request_time>100 |
>= |
Searches logs in which the value of a field is greater than or equal to a specified value. Example: request_time>=100 |
< |
Searches logs in which the value of a field is less than a specified value. Example: request_time<100 |
<= |
Searches logs in which the value of a field is less than or equal to a specified value. Example: request_time<=100 |
= |
Searches logs in which the value of a field is equal to a specified value, applying only to float or long fields. For fields of this type, the equal sign (=) and colon (:) have the same function. For example, request_time=100 is equivalent to request_time:100. |
in |
Search logs whose field values are in a specified range. Brackets indicate a closed interval, and parentheses indicate an open interval. Numbers are separated with spaces. Example: request_time in [100 200] and request_time in (100 200]
NOTE:
Enter in in lowercase. When it is used as an operator, use a space before and after it. |
#"" |
Searches for logs that contain the target phrase, ensuring the sequence of keywords.
NOTE:
The asterisk (*) and question mark (?) in phrase search are regarded as common characters. Therefore, phrase search does not support fuzzy search and can be used to search for the asterisk (*) and question mark (?) in logs. |
Search Statement Examples
For the same search statement, different search results are displayed for different log content and index configurations. This section describes search statement examples based on the following log examples and indexes:
Search Requirement |
Search Statement |
---|---|
Logs of POST requests whose status code is 200 |
request_method:POST and status=200 |
Logs of successful GET or POST requests (status codes 200 to 299) |
(request_method:POST or request_method:GET) and status in [200 299] |
Logs of failed GET or POST requests |
(request_method:POST or request_method:GET) not status in [200 299] |
Logs of non-GET requests |
not request_method:GET |
Logs of successful GET request and request time is less than 60 seconds |
request_method:GET and status in [200 299] not request_time>=60 |
Logs whose request time is 60 seconds. |
|
Logs of requests whose time is greater than or equal to 60 seconds and less than 200 seconds |
|
Logs that contain and |
content:"and"
NOTE:
Double quotation marks are used to enclose and. and is a common string and does not represent an operator. |
Logs that do not contain the user field. |
not user:* |
Logs in which the value of user is empty are searched. |
user:"" |
Logs in which the value of the week field is not Monday |
not week: Monday |
Logs whose sec-ch-ua-mobile field is ?0 |
sec-ch-ua-mobile:#"?0"
NOTE:
If search is required when log content contains asterisks (*) or question marks (?), use phrases search. |
The following describes examples of advanced searches.
Search Requirement |
Search Statement |
---|---|
Logs that contain words starting with GE |
GE* |
Logs that contain words starting with GE and with only one character after GE. |
GE? |
Logs in which the value of request_method contains a word starting with G. |
request_method:G* |
Logs in which the value of request_method starts with P, ends with T, and contains a single character in the middle. |
request_method:P?T |
Logs in which the value of request_method starts with P, ends with T, and contains zero, single, or multiple characters in the middle. |
request_method:P*T |
Search based on delimiters. For example, the value of the User-Agent field is Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36.
- If this parameter is left blank, the value of this field is considered as a whole. In this case, when you use User-Agent:Chrome to search for logs, no log can be found.
- When the delimiter is set to , '";=()[]{}?@&<>/:\n\t\r, the value of this field is split into Mozilla, 5.0, Windows, NT, 10.0, Win64, x64, AppleWebKit, 537.36, KHTML, like, Gecko, Chrome, 113.0.0.0, Safari, and 537.36.
Then you can use search statements such as User-Agent:Chrome for search.
Table 5 Delimiter-based search Search Requirement
Search Statement
Logs in which the value of User-Agent contains Chrome
User-Agent:Chrome
Logs in which the value of User-Agent contains the word starting with Win
User-Agent:Win*
Logs in which the value of User-Agent contains Chrome and Linux
User-Agent:"Chrome Linux"
Logs in which the value of User-Agent contains Firefox or Chrome
User-Agent:Chrome OR User-Agent:Linux
Logs in which the value of User-Agent contains Chrome but not Linux
User-Agent:Chrome NOT User-Agent:Linux
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.