Build log queries with the Lucene Query Builder
Create structured log queries without writing raw Lucene syntax. The Query Builder helps you filter logs by selecting fields, operators, and values from your data.
Select a data source
Choose the data you want to query before building filters.
In Builder mode, select Logs or a log-based dataset as your data source. This loads available log attributes, values, and metadata, which power field suggestions, autocomplete, and query results.
Selecting the correct data source ensures your query evaluates the right log records.
Build a query
Build your query by adding one or more filters. Filters define the conditions logs must meet to appear in results.
Each filter includes:
- Field: The log attribute to evaluate (for example, status code, message, or service name)
- Operator: The comparison logic used to evaluate the field
- Value: The value to match against the field
Combine multiple filters to narrow results or target specific log events. Each filter becomes part of the query and remains editable — modify or remove filters at any time.
Select a field
Select the log attribute you want to evaluate. Start typing a field name to see matching attributes from your log data. Suggestions are generated dynamically based on available fields.
Field autocomplete helps you:
- Discover available log attributes
- Reduce typing errors
- Select the correct field quickly
- Explore your log data structure
Select an operator
After selecting a field, choose an operator to define the comparison logic. Available operators depend on the field type.
| Operator | Description |
|---|---|
= | Exact match |
!= | Not equal |
: | Contains a value |
^= | Starts with a value |
$= | Ends with a value |
> | Greater than (numeric or date) |
< | Less than (numeric or date) |
>= | Greater than or equal to |
<= | Less than or equal to |
~ | Matches a regular expression |
!~ | Does not match a regular expression |
exists | Field exists |
does not exist | Field does not exist |
Enter or select a value
After selecting an operator, enter or select a value for the filter. As you type, the system suggests matching values based on recent log data and known field values.
Selecting or confirming a value completes the filter and updates the query.
Value suggestions help you:
- Select valid values faster
- Reduce typing errors
- Discover common values in your logs
Combine filters with boolean logic
Control how multiple filters work together:
- Filters use AND by default, which requires all conditions to match
- Switch the connector between filters to OR to match any condition
- Combine multiple conditions to create precise query logic
Manage filters
Refine your query by managing filters:
- Add multiple filters to narrow results
- Modify an existing filter to change the field, operator, or value
- Remove a filter to broaden results
Changes apply immediately and update query results in real time.
Use autocomplete
Autocomplete guides you through the query-building process and reduces manual input. Suggestions appear automatically when you:
- Enter a field name
- Select an operator
- Enter a value
Suggestions are generated from log metadata and recent data, helping you build accurate queries faster and discover available fields and values.
View query results
Query results update automatically when you add or modify filters. The interface refreshes logs, charts, and related views to reflect the current query.
The system preserves the full filter configuration, so you can share the query or return to it later.
For details on how Lucene queries behave differently in alert evaluation compared to Case and Incident views, see Query behavior.