Coralogix brings a whole new approach to machine data analytics with its Loggregation and anomaly detection capabilities, but sometimes all you need is to query your data and get fast reliable results.
Coralogix’s Log query brings an intuitive interface with a flexible query and Grid layout options to allow you to query any data in seconds. In addition, Coralogix’s log query uses the unique capabilities of log template identification to enable you to query a log template regardless of its parameters using any query language or defining regular expressions.
Log Query
First, click the Logs icon on your dashboard to open the log query interface.
Define the query text and time window (default is last 15 min), note that you can run queries based on Elastic ‘simple query’ or run a free-text query, just hover the test tube icon (on the top left to the query space) for instructions. Click ‘GO’ to get results in seconds, or ‘Clear’ to reset the query back to default. Once you get the query results, you can see that the occurrences graph above the retrieved log records was changed as we filtered out log entries that didn’t answer our search criteria.
Coralogix supports the following query types:
Unstructured logs
Google-styled search query – match any log with the combination of words queried on the entire log payload. Querying Coralogix is will return the logs Coralogix is the best, Coralogix query is flexible and is Coralogix the best.
To match an exact string use the following query form: text:”your string”. Thus text:”Coralogix is” will return just the log Coralogix is the best.
JSON structured logs
Google-styled search query as described above.
Elastic simple query – with word tokenization according to word delimiters*. Querying Key:first-name will return both the log {“Key”:”my first name is John”} and {“Key”:”the first participant’s name is John”}. You can add a regex to the query with the following convention: user_id:/.*a8ffe/, which will return only logs whose user_id value (or a specific token within user_id) ends with a8ffe; e.g. {“user_id”:”10aefa8ffe”}, {“user_id”:”48cdn9 – 555, ggypla8ffe”}.
Keyword search – add the ‘.keyword’ suffix to the field name to query data without tokenization so that Key.keyword:first-name* will return the log {“Key:”first-name: John”} and also {“Key”:”first-name: Bob”} but won’t return the log {“Key”:”The first participant’s name is John”} as it looks to match the exact phrase ‘first-name’ at the beginning of the text. You can add a regex to the keyword query with the following convention: Key.keyword:/.*first.*John.*/, which will return only the logs {“Key”:”first-name: John”} and the log {“Key”:”The first participant’s name is John”}.
In order for a query to match, the searched phrase/word should match a full token.
Example 1
Our log:
{ "user" : "John", "post" : "Going for cookies cream is a real treat" }
The field ‘post’ has the following tokens: going, for, cookies, cream, is, a, real, treat
The query: post:cook – no match as it isn’t matching any token The query: post:cream – fully matches the token cream The query: post:cook* – fully matches the token cookies The query (using double quotes to capture a phrase): post:”real treat” – fully matches the exact combination, ‘real treat’, hence we have a match.
Example 2
Our log:
{ "aircraft" : "Boeing", "message" : "flight number fly1234paris has been delayed" }
The field ‘message’ has the following tokens: flight, number, fly1234paris, has, been, delayed
The query: message:delayed – fully matches the token delayed
The query: message:paris – no match as it isn’t matching any token
The query: message:fly1234paris – fully matches the token fly1234paris
Example 3
When performing a keyword search (by adding the suffix .keyword to the Elastic field’s name as described in #2), no tokenization is performed and the ‘key.keyword’ field populates the entire string (with one limitation – if its string is longer than 256 characters no results are returned as the keyword only holds the first 256 characters.).
Our log:
{ "aircraft" : "Boeing", "message" : "flight number fly1234paris has been delayed" }
message.keyword token is the entire string: flight number fly1234paris has been delayed.
The query: message.keyword:delayed – no match as it isn’t matching the token in full
The query: message.keyword:flight – no match as it isn’t matching the token in full
The query: message.keyword:flight* – fully matches the message.keyword field’s token
The query (using Regex): message.keyword:/.*paris.*/ – fully matches the message.keyword field token
Now you see that the word you searched for is being highlighted for better visibility.
Example 4
Coralogix stores fields with values that could be interpreted as numeric such as “123”, “0″, etc., in a field called fieldname.numeric.
For example: duration.numeric. In such cases, when doing a range query we use the following syntax:
fieldname.numeric:[lowerValue TO higherValue], or fieldname.numeric:{lowerValue TO higherValue},
or a combination of [ or { at the beginning, or ] or } at the end of the range.
The differences are as follows:
a. fieldname.numeric:[1 TO 7] –> 1 =< x = < 7; ie: The value of x is greater or equal to 1, and less or equal to 7.
b. fieldname.numeric:{1 TO 7} –> 1 < x < 7; ie: The value of x is greater than 1, and less than 7.
c. fieldname.numeric:[1 TO 7} –> 1 =< x < 7; ie: The value of x is greater or equal to 1, and less than 7.
a. duration.numeric:[2 TO 8] will return 3 logs (Match is greater or equal to 2, and less or equal to 8).
Query Surrounding Logs
To query the surroundings of a log on your results simply mark that log, click the ‘Query selected log before & After’ button, and select the desired timeframe. This will retrieve all logs prior to and after the selected log from the same application and subsystem.
View Raw Log
To view raw log simply mark a log and click the 3 dots that will appear or press the ‘space’ button.
View Templates
Use Templates to view the unique appearances of your logs and their variable models (Note it takes 24H for Loggregation to become active)
Static query link
You can retrieve your data by performing queries and opening public saved views within the URL address.
Oh no!We didn’t find anything for “”,
