Query syntax for logs

Use our logs UI at one.newrelic.com to quickly search through your log data in seconds. Each log lists available attributes in the log_summary column. To drill down into additional details, click any highlighted attribute.

Query structure

Using logs, you can search through your log data by entering either simple keywords, such as new and relic, or phrases such as "new relic agent", directly into the search field.

Plain terms are a 'contains' search for the message attribute and the filePath of your logs. For instance, "new relic agent" is equivalent to the more verbose message: "*New Relic Agent*".

To search other attributes, prefix the attribute to your terms, such as source: "*new relic agent*". See General operators below for more details.

You can also combine keywords or phrases with operators to form more complex queries.

Tip

Log queries in New Relic are based on the Lucene query language, and any Lucene function listed in this document is supported. (If a Lucene function isn't listed, we don't support it.) For some helpful examples, check out this Lucene tutorial.

General query rules:

Log query rules	Comments
Case sensitive	The query syntax is case sensitive for attributes values. Attribute names are always case sensitive. Exception: Wildcard searches are case insensitive for attribute values.
Whitespace characters	When a term contains whitespace characters such as the space or tab character, the term will need to be double-quoted. Example: To query for a `status` attribute that contains exactly `POST /log/v1`, quote the term like this: `status: "POST /log/v1"` Note: to query for a `status` attribute that contains `POST /log/v1` somewhere in the attribute, you'll need to add wildcard characters like `status: "POST /log/v1"` (see below for details on wildcards)
Special characters	When a term contains special characters, double-quote the term and escape the special characters using a backslash (`\`). This includes special characters such as `+`, `-`, `&`, `\|`, `!`, `(`, `)`, `{`, `}`, `[`, `]`, `^`, `"`, `~`, `*`, `?`, `:`, `/`, or `\`. Example: To query for a `status` attribute containing exactly `"POST /log/v1 HTTP/1.1" 202`, escape the quotes like this: `status: "\"POST /log/v1 HTTP/1.1\" 202"`
Wildcard searches	You can run wildcard searches using an asterisk (``) to replace zero or more characters. Example: to query for a `status` attribute that contains with `202` somewhere in it, format the query like this: `status: 202` If your term contains spaces or other metacharacters (see above), you'll need to quote the wildcarded term. For example, to query for a `status` attribute that contains `/log/v1 202` somewhere in it, format the query like this: `status: "/log/v1 202*"`

Search with text

To return more specific query results, use text searches to join together keywords or phrases.

Text operators

The Logs query syntax accepts the following text operators:

Condition	Text operator example
Matching (keyword)	Search for log results containing keywords entered separately: `"new" "relic"`
Exact matching (phrase)	Search for log results containing the specific phrase entered: `"new relic agent"`
Either / Or	Search for log results containing either or both of the keywords entered: `new OR relic`
And	Search for log results containing both of the keywords entered: `new AND relic`
* Wildcard (zero or more)	Search for log results containing both of the keywords entered, with zero or more characters between them: `new*relic`
Negation (keyword)	Search for log results that do not contain the specific keyword entered: `-new`
Negation (phrase)	Search for log results that do not contain the specific phrase entered. `-"new relic"`

Search with attributes

Use attribute searches to narrow the query results to a specific attribute or field.

General operators

The following operators can be used by all types of attributes:

Condition	General operator example
Equal `:`	Search for log results where the attribute equals the keyword specified. Example: The field `hostname` equals `chi`: `hostname:chi`
Does not equal `- :`	Search for log results where the attribute does not equal the keyword specified. Example: The field `hostname` does not equal `chi`. `-hostname:chi`
Contains `*`	Search for log results where the attribute contains the specified keyword. Example: The field `hostname` contains `chi`. `hostname:chi`
Does not contain `- *`	Search for log results where the attribute does not contain the specified keyword. Example: The field `hostname` does not contain `chi`. `-hostname:chi`
Starts with `*`	Search for log results where the attribute starts with the specified keyword specified. Example: The field `hostname` starts with `chi`. `hostname:chi*`
Ends with `*`	Search for log results where the attribute ends with the specified keyword specified. Example: The field `hostname` ends with `chi`. `hostname:*chi`
Has	Search for log results that have the specified field. Example: Has the field `user_name`. `has:user_name`
Missing	Search for log results that are missing the specified field. Example: Missing the field `user_name`. `missing:user_name`

Numeric operators

The following operators can only be used by numeric attributes:

Condition	Numeric operator example
Greater than	Search for log results attribute matches that are greater than the given parameter. Example: The field `http_response_time_ms` is greater than `500`. `http_response_time_ms:>500`
Greater than or equal to	Search for log results with attribute matches that are greater than or equal to the given parameter. Example: The field `http_response_time_ms` is greater than or equal to `500`. `http_response_time_ms:>=500`
Less than	Search for log results with attribute matches that are less than the given parameter. Example: The field `http_response_time_ms` is less than `500`. `http_response_time_ms:<500`
Less than or equal to	Search for log results with attribute matches that are less than or equal to the given parameter. Example: The field `http_response_time_ms` is less than or equal to `500`. `http_response_time_ms:<=500`

Logs query examples

Example: Query Apache logs

About Apache logs

If you have Apache logs, we recommend using our built in parsing rules for Apache logs to parse the logs into attributes. To use the built-in parsing, simply add the logtype: apache attribute to your logging.yml configuration on the hosts for your Apache logs.

Here are some examples of querying Apache logs:

logtype:apache response:503

Example: Query Amazon Cloudfront CDN logs

About CDN logs

If you have Amazon CloudFront logs, learn how to Forward Amazon CloudFront access logs to New Relic. We offer built-in parsing rules that can be used to automatically parse your Amazon Cloudfront standard or real-time access logs. We also have an Amazon Cloudfront access logs quickstart dashboard you can install that gives you immediate insight into your Amazon CloudFront CDN access logs!

Here are some examples of querying Amazon Cloudfront CDN access logs:

See NRQL query and add to dashboard

To see the NRQL version of a logs chart, click the ellipses menu on that chart and click View query. This opens up a view of the NRQL that generated that chart. You can modify the query there, or add it to a dashboard.

To switch from a Lucene syntax query to a NRQL query, to the right of the query builder click the NRQL button.

Let's say you want to search Apache logs for 503 response codes, covert that to a NRQL query using FACET, view it as pie chart, and add that chart to a dashboard. Here's how:

From the All logs UI page, search for all Apache logs with 503 response codes, using the query logtype:apache response:503
From the log chart ellipses menu, click View query.
In the query, replace SINCE <timestamp> UNTIL <timestamp> TIMESERIES MAX with FACET verb and click Run. You'll see a table with response codes grouped by method (verb).
Change the chart type to Pie.
Click Add to dashboard and complete the steps.

Query structure

Tip

Search with text

Text operators

Search with attributes

General operators

Numeric operators

Logs query examples

Example: Query Apache logs

About Apache logs

View all Apache logs with `503` response codes:

View all Apache logs with `4xx` or `5xx` response codes:

View all Apache logs with `Method=GET` and `Response=2xx`

Example: Query Amazon Cloudfront CDN logs

About CDN logs

View all access logs that resulted in a cache miss

View all access logs that resulted in a cahce miss from Atlanta edge locations

View all access logs with cs_method=GET that resulted in a 4xx or 5xx error from Atlanta edge locations

See NRQL query and add to dashboard

Query syntax for logs

Query structure .css-21sua1{background:none;border:none;width:0;padding:0;}

Tip

Search with text

Text operators

Search with attributes

General operators

Numeric operators

Logs query examples

Example: Query Apache logs

About Apache logs

View all Apache logs with `4xx` or `5xx` response codes:

View all Apache logs with `Method=GET` and `Response=2xx`

Example: Query Amazon Cloudfront CDN logs

About CDN logs

View all access logs that resulted in a cache miss

View all access logs that resulted in a cahce miss from Atlanta edge locations

View all access logs with cs_method=GET that resulted in a 4xx or 5xx error from Atlanta edge locations

See NRQL query and add to dashboard

Query structure