• /
  • EnglishEspañol日本語한국어Português
  • Log inStart now

Query syntax for logs

Use our logs UI at one.newrelic.com to quickly search through your log data in seconds. Each log lists available attributes in the log_summary column. To drill down into additional details, click any highlighted attribute.

Query structure

Using logs, you can search through your log data by entering either simple keywords, such as new and relic, or phrases such as "new relic agent", directly into the search field.

Plain terms are a 'contains' search for the message attribute and the filePath of your logs. For instance, "new relic agent" is equivalent to the more verbose message: "*New Relic Agent*".

To search other attributes, prefix the attribute to your terms, such as source: "*new relic agent*". See General operators below for more details.

You can also combine keywords or phrases with operators to form more complex queries.

Tip

Log queries in New Relic are based on the Lucene query language, and any Lucene function listed in this document is supported. (If a Lucene function isn't listed, we don't support it.) For some helpful examples, check out this Lucene tutorial.

General query rules:

Log query rules

Comments

Case sensitive

The query syntax is case sensitive for attributes values. Attribute names are always case sensitive.

Exception: Wildcard searches are case insensitive for attribute values.

Whitespace characters

When a term contains whitespace characters such as the space or tab character, the term will need to be double-quoted.

Example: To query for a status attribute that contains exactly POST /log/v1, quote the term like this:

status: "POST /log/v1"

Note: to query for a status attribute that contains POST /log/v1 somewhere in the attribute, you'll need to add wildcard characters like status: "*POST /log/v1*" (see below for details on wildcards)

Special characters

When a term contains special characters, double-quote the term and escape the special characters using a backslash (\). This includes special characters such as +, -, &, |, !, (, ), {, }, [, ], ^, ", ~, *, ?, :, /, or \.

Example: To query for a status attribute containing exactly "POST /log/v1 HTTP/1.1" 202, escape the quotes like this:

status: "\"POST /log/v1 HTTP/1.1\" 202"

Wildcard searches

You can run wildcard searches using an asterisk (*) to replace zero or more characters.

Example: to query for a status attribute that contains with 202 somewhere in it, format the query like this:

status: *202*

If your term contains spaces or other metacharacters (see above), you'll need to quote the wildcarded term.

For example, to query for a status attribute that contains /log/v1 202 somewhere in it, format the query like this:

status: "*/log/v1 202*"

Search with text

To return more specific query results, use text searches to join together keywords or phrases.

Text operators

The Logs query syntax accepts the following text operators:

Condition

Text operator example

Matching (keyword)

Search for log results containing keywords entered separately:

"new" "relic"

Exact matching (phrase)

Search for log results containing the specific phrase entered:

"new relic agent"

Either / Or

Search for log results containing either or both of the keywords entered:

new OR relic

And

Search for log results containing both of the keywords entered:

new AND relic

* Wildcard (zero or more)

Search for log results containing both of the keywords entered, with zero or more characters between them:

new*relic

Negation (keyword)

Search for log results that do not contain the specific keyword entered:

-new

Negation (phrase)

Search for log results that do not contain the specific phrase entered.

-"new relic"

Search with attributes

Use attribute searches to narrow the query results to a specific attribute or field.

General operators

The following operators can be used by all types of attributes:

Condition

General operator example

Equal :

Search for log results where the attribute equals the keyword specified. Example: The field hostname equals chi:

hostname:chi

Does not equal - :

Search for log results where the attribute does not equal the keyword specified. Example: The field hostname does not equal chi.

-hostname:chi

Contains *

Search for log results where the attribute contains the specified keyword. Example: The field hostname contains chi.

hostname:*chi*

Does not contain - *

Search for log results where the attribute does not contain the specified keyword. Example: The field hostname does not contain chi.

-hostname:*chi*

Starts with *

Search for log results where the attribute starts with the specified keyword specified. Example: The field hostname starts with chi.

hostname:chi*

Ends with *

Search for log results where the attribute ends with the specified keyword specified. Example: The field hostname ends with chi.

hostname:*chi

Has

Search for log results that have the specified field. Example: Has the field user_name.

has:user_name

Missing

Search for log results that are missing the specified field. Example: Missing the field user_name.

missing:user_name

Numeric operators

The following operators can only be used by numeric attributes:

Condition

Numeric operator example

Greater than

Search for log results attribute matches that are greater than the given parameter. Example: The field http_response_time_ms is greater than 500.

http_response_time_ms:>500

Greater than or equal to

Search for log results with attribute matches that are greater than or equal to the given parameter. Example: The field http_response_time_ms is greater than or equal to 500.

http_response_time_ms:>=500

Less than

Search for log results with attribute matches that are less than the given parameter. Example: The field http_response_time_ms is less than 500.

http_response_time_ms:<500

Less than or equal to

Search for log results with attribute matches that are less than or equal to the given parameter. Example: The field http_response_time_ms is less than or equal to 500.

http_response_time_ms:<=500

Logs query examples

Example: Query Apache logs

About Apache logs

If you have Apache logs, we recommend using our built in parsing rules for Apache logs to parse the logs into attributes. To use the built-in parsing, simply add the logtype: apache attribute to your logging.yml configuration on the hosts for your Apache logs.

Here are some examples of querying Apache logs:

Example: Query Amazon Cloudfront CDN logs

About CDN logs

If you have Amazon CloudFront logs, learn how to Forward Amazon CloudFront access logs to New Relic. We offer built-in parsing rules that can be used to automatically parse your Amazon Cloudfront standard or real-time access logs. We also have an Amazon Cloudfront access logs quickstart dashboard you can install that gives you immediate insight into your Amazon CloudFront CDN access logs!

Here are some examples of querying Amazon Cloudfront CDN access logs:

See NRQL query and add to dashboard

To see the NRQL version of a logs chart, click the ellipses menu on that chart and click View query. This opens up a view of the NRQL that generated that chart. You can modify the query there, or add it to a dashboard.

To switch from a Lucene syntax query to a NRQL query, to the right of the query builder click the NRQL button.

Let's say you want to search Apache logs for 503 response codes, covert that to a NRQL query using FACET, view it as pie chart, and add that chart to a dashboard. Here's how:

  1. From the All logs UI page, search for all Apache logs with 503 response codes, using the query logtype:apache response:503
  2. From the log chart ellipses menu, click View query.
  3. In the query, replace SINCE <timestamp> UNTIL <timestamp> TIMESERIES MAX with FACET verb and click Run. You'll see a table with response codes grouped by method (verb).
  4. Change the chart type to Pie.
  5. Click Add to dashboard and complete the steps.
Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.