• Log inStart now

Query syntax for logs

Use our Logs UI at one.newrelic.com to quickly search through your log data in seconds. Each log lists available attributes in the log_summary column. To drill down into additional details, click any highlighted attribute.

Ready to get started? If you haven't already, be sure to sign up for a New Relic account. It's free, forever.

Query structure

Using the Logs UI, you can search through your log data by entering either simple keywords, such as new and relic, or phrases such as "new relic agent", directly into the search field.

Plain terms are a "contains" search for the message attribute of your logs. For instance, "New Relic Agent" is equivalent to the more verbose message: "*New Relic Agent*".

To search other attributes, prefix the attribute to your terms, such as source: "*New Relic agent*". See "General operators" below for more details.

You can also combine keywords or phrases with operators to form more complex queries.

Tip

Log queries in New Relic are based on the Lucene query language, and any Lucene function listed in this document is supported. (If a Lucene function is not listed, we do not support it.) For some helpful examples, check out this Lucene tutorial.

General query rules:

Log query rules

Comments

Case sensitive

The query syntax is case sensitive for attributes values. Attribute names are always case sensitive.

Exception: Wildcard searches are case insensitive for attribute values.

Whitespace characters

When a term contains whitespace characters such as the space or tab character, the term will need to be double-quoted.

Example: To query for a status attribute that contains exactly POST /log/v1, quote the term like this:

status: "POST /log/v1"

Note: to query for a status attribute that contains POST /log/v1 somewhere in the attribute, you'll need to add wildcard characters like status: "*POST /log/v1*" (see below for details on wildcards)

Special characters

When a term contains special characters, double-quote the term and escape the special characters using a backslash (\). This includes special characters such as +, -, &, |, !, (, ), {, }, [, ], ^, ", ~, *, ?, :, /, or \.

Example: To query for a status attribute containing exactly "POST /log/v1 HTTP/1.1" 202, escape the quotes like this:

status: "\"POST /log/v1 HTTP/1.1\" 202"

Wildcard searches

You can run wildcard searches using an asterisk (*) to replace zero or more characters.

Example: to query for a status attribute that contains with 202 somewhere in it, format the query like this:

status: *202*

If your term contains spaces or other metacharacters (see above), you'll need to quote the wildcarded term.

Example, to query for a status attribute that contains /log/v1 202 somewhere in it, format the query like this:

status: "*/log/v1 202*"

Search with text

To return more specific query results, use text searches to join together keywords or phrases.

Text operators

The Logs query syntax accepts the following text operators:

Condition

Text operator example

Matching (keyword)

Search for log results containing keywords entered separately:

"new" "relic"

Exact matching (phrase)

Search for log results containing the specific phrase entered:

"new relic agent"

Either / Or

Search for log results containing either or both of the keywords entered:

new OR relic

And

Search for log results containing both of the keywords entered:

new AND relic

* Wildcard (zero or more)

Search for log results containing both of the keywords entered, with zero or more characters between them:

new*relic

Negation (keyword)

Search for log results that do not contain the specific keyword entered:

-new

Negation (phrase)

Search for log results that do not contain the specific phrase entered.

-"new relic"

Search with attributes

Use attribute searches to narrow the query results to a specific attribute or field.

General operators

The following operators can be used by all types of attributes:

Condition

General operator example

Equal :

Search for log results where the attribute equals the keyword specified. Example: The field hostname equals chi:

hostname:chi

Does not equal - :

Search for log results where the attribute does not equal the keyword specified. Example: The field hostname does not equal chi.

-hostname:chi

Contains *

Search for log results where the attribute contains the specified keyword. Example: The field hostname contains chi.

hostname:*chi*

Does not contain - *

Search for log results where the attribute does not contain the specified keyword. Example: The field hostname does not contain chi.

-hostname:*chi*

Starts with *

Search for log results where the attribute starts with the specified keyword specified. Example: The field hostname starts with chi.

hostname:chi*

Ends with *

Search for log results where the attribute ends with the specified keyword specified. Example: The field hostname ends with chi.

hostname:*chi

Has

Search for log results that have the specified field. Example: Has the field user_name.

has:user_name

Missing

Search for log results that are missing the specified field. Example: Missing the field user_name.

missing:user_name

Numeric operators

The following operators can only be used by numeric attributes:

Condition

Numeric operator example

Greater than

Search for log results attribute matches that are greater than the given parameter. Example: The field http_response_time_ms is greater than 500.

http_response_time_ms:>500

Greater than or equal to

Search for log results with attribute matches that are greater than or equal to the given parameter. Example: The field http_response_time_ms is greater than or equal to 500.

http_response_time_ms:>=500

Less than

Search for log results with attribute matches that are less than the given parameter. Example: The field http_response_time_ms is less than 500.

http_response_time_ms:<500

Less than or equal to

Search for log results with attribute matches that are less than or equal to the given parameter. Example: The field http_response_time_ms is less than or equal to 500.

http_response_time_ms:<=500

Example: Search string in URI for deployments

You can build a New Relic URL that includes the log search string in the URI. This is useful, for example, when you want to include a direct link to the New Relic Logs UI in a Kubernetes deployment. You want the link to pass a custom URL populated with the search for a specific container name.

Here is an example URL:

https://one.newrelic.com/launcher/logger.log-launcher?platform[accountId]=1234567&launcher=jyJpc0VudGl0&pane=zyJuZXJkbGV0SWQiO=

In this search, the query is your Lucene query. Edit these values as applicable:

  • accountId is your account.
  • eventTypes are your log partitions (usually Log).

You do not need to edit the other values.

The launcher is a Base64 encoding of:

'{"isEntitled":true,"query":"foo:\\"bar\\" environment:\\"production\\"","eventTypes":["Log"]}'

The pane is a Base64 encoding of:

'{"nerdletId":"logger.log-tailer","accountId":1234567}'
Copyright © 2022 New Relic Inc.