How to select recently ingested logs? #
Run the following query:
_time:5m
It returns logs over the last 5 minutes by using
_time filter
.
The logs are returned in arbitrary order because of performance reasons.
Add
sort pipe
to the query if you need sorting
the returned logs by some field (usually
_time field
):
_time:5m | sort by (_time)
If the number of returned logs is too big, it may be limited with the
first pipe
.
For example, the following query returns 10 most recent logs, which were ingested during the last 5 minutes:
_time:5m | first 10 by (_time desc)
See also:
How to select logs with the given word in log message? #
Just put the needed
word
in the query.
For example, the following query returns all the logs with the error
word
in
log message
:
error
If the number of returned logs is too big, then add
_time filter
for limiting the time range for the selected logs. For example, the following query returns logs with error
word
over the last hour:
error _time:1h
If the number of returned logs is still too big, then consider adding more specific
filters
to the query. For example, the following query selects logs with error
word
,
which do not contain kubernetes
word
, over the last hour:
error -kubernetes _time:1h
The logs are returned in arbitrary order because of performance reasons. Add
sort pipe
for sorting logs by the needed
fields
. For example, the following query
sorts the selected logs by
_time field
:
error _time:1h | sort by (_time)
See also:
- How to select logs with all the given words in log message?
- How to select logs with some of the given words in log message?
- How to skip logs with the given word in log message?
- Filtering by phrase
- Filtering by prefix
- Filtering by regular expression
- Filtering by substring
How to skip logs with the given word in log message? #
Use
NOT logical filter
. For example, the following query returns all the logs
without the INFO
word
in the
log message
:
-INFO
If the number of returned logs is too big, then add
_time filter
for limiting the time range for the selected logs. For example, the following query returns matching logs over the last hour:
-INFO _time:1h
If the number of returned logs is still too big, then consider adding more specific
filters
to the query. For example, the following query selects logs without INFO
word
,
which contain error
word
, over the last hour:
-INFO error _time:1h
The logs are returned in arbitrary order because of performance reasons. Add
sort pipe
for sorting logs by the needed
fields
. For example, the following query
sorts the selected logs by
_time field
:
-INFO _time:1h | sort by (_time)
See also:
- How to select logs with all the given words in log message?
- How to select logs with some of given words in log message?
- Filtering by phrase
- Filtering by prefix
- Filtering by regular expression
- Filtering by substring
How to select logs with all the given words in log message? #
Just enumerate the needed
words
in the query, by delimiting them with whitespace.
For example, the following query selects logs containing both error and kubernetes
words
in the
log message
:
error kubernetes
This query uses
AND logical filter
.
If the number of returned logs is too big, then add
_time filter
for limiting the time range for the selected logs. For example, the following query returns matching logs over the last hour:
error kubernetes _time:1h
If the number of returned logs is still too big, then consider adding more specific
filters
to the query. For example, the following query selects logs with error and kubernetes
words
from
log streams
containing container="my-app" field, over the last hour:
error kubernetes {container="my-app"} _time:1h
The logs are returned in arbitrary order because of performance reasons. Add
sort pipe
for sorting logs by the needed
fields
. For example, the following query
sorts the selected logs by
_time field
:
error kubernetes _time:1h | sort by (_time)
See also:
- How to select logs with some of given words in log message?
- How to skip logs with the given word in log message?
- Filtering by phrase
- Filtering by prefix
- Filtering by regular expression
- Filtering by substring
How to select logs with some of the given words in log message? #
Put the needed
words
into (...), by delimiting them with or.
For example, the following query selects logs with error, ERROR or Error
words
in the
log message
:
(error or ERROR or Error)
This query uses
OR logical filter
.
If the number of returned logs is too big, then add
_time filter
for limiting the time range for the selected logs. For example, the following query returns matching logs over the last hour:
(error or ERROR or Error) _time:1h
If the number of returned logs is still too big, then consider adding more specific
filters
to the query. For example, the following query selects logs without error, ERROR or Error
words
,
which do not contain kubernetes
word
, over the last hour:
(error or ERROR or Error) -kubernetes _time:1h
The logs are returned in arbitrary order because of performance reasons. Add
sort pipe
for sorting logs by the needed
fields
. For example, the following query
sorts the selected logs by
_time field
:
(error or ERROR or Error) _time:1h | sort by (_time)
See also:
- How to select logs with all the given words in log message?
- How to skip logs with the given word in log message?
- Filtering by phrase
- Filtering by prefix
- Filtering by regular expression
- Filtering by substring
How to select logs from the given application instance? #
Make sure the application is properly configured with
stream-level log fields
.
Then just use
_stream filter
for selecting logs for the given application instance.
For example, if the application contains job="app-42" and instance="host-123:5678"
stream fields
,
then the following query selects all the logs from this application:
{job="app-42",instance="host-123:5678"}
If the number of returned logs is too big, it is recommended adding
_time filter
to the query in order to reduce the number of matching logs. For example, the following query returns logs for the given application for the last day:
{job="app-42",instance="host-123:5678"} _time:1d
If the number of returned logs is still too big, then consider adding more specific
filters
to the query. For example, the following query selects logs from the given
log stream
,
which contain error
word
in the
log message
,
over the last day:
{job="app-42",instance="host-123:5678"} error _time:1d
The logs are returned in arbitrary order because of performance reasons. Use
sort pipe
for sorting the returned logs by the needed fields. For example, the following query sorts the selected logs
by
_time
:
{job="app-42",instance="host-123:5678"} _time:1d | sort by (_time)
See also:
- How to determine applications with the most logs?
- How to skip logs with the given word in log message?
How to count the number of matching logs? #
Use
count() stats function
. For example, the following query returns
the number of results returned by your_query_here:
your_query_here | count()
How to determine applications with the most logs? #
Run the following query:
_time:5m | stats by (_stream) count() as logs | sort by (logs desc) | limit 10
This query returns top 10 application instances (aka log streams ) with the most logs over the last 5 minutes.
This query uses the following LogsQL features:
_timefilter for selecting logs on the given time range (5 minutes in the query above).statspipe for calculating the number of logs. per each_stream.countstats function is used for calculating the needed stats.sortpipe for sorting the stats bylogsfield in descending order.limitpipe for limiting the number of returned results to 10.
This query can be simplified into the following one, which uses
top pipe
:
_time:5m | top 10 by (_stream)
See also:
- How to filter out data after stats calculation?
- How to calculate the number of logs per the given interval?
- How to select logs from the given application instance?
How to parse JSON inside log message? #
It is better from performance and resource usage PoV to avoid storing JSON inside log message . It is recommended storing individual JSON fields as log fields instead according to VictoriaLogs data model .
If you have to store JSON inside log message or inside any other
log fields
,
then the stored JSON can be parsed during query time via
unpack_json pipe
.
For example, the following query unpacks JSON from the
_msg field
across all the logs for the last 5 minutes:
_time:5m | unpack_json
If you need to parse JSON array, then take a look at
unroll pipe
.
How to extract some data from text log message? #
Use
extract
or
extract_regexp
pipe.
For example, the following query extracts username and user_id fields from text
log message
:
_time:5m | extract "username=<username>, user_id=<user_id>,"
See also:
How to filter out data after stats calculation? #
Use
filter pipe
. For example, the following query
returns only
log streams
with more than 1000 logs
over the last 5 minutes:
_time:5m | stats by (_stream) count() rows | filter rows:>1000
How to calculate the number of logs per the given interval? #
Use
stats by time bucket
. For example, the following query
returns per-hour number of logs with the error
word
for the last day:
_time:1d error | stats by (_time:1h) count() rows | sort by (_time)
This query uses
sort pipe
in order to sort per-hour stats
by
_time
.
How to calculate the number of logs per IPv4 subnetwork? #
Use
stats by IPv4 bucket
. For example, the following
query returns top 10 /24 subnetworks with the biggest number of logs for the last 5 minutes:
_time:5m | stats by (ip:/24) count() rows | last 10 by (rows)
This query uses
first pipe
in order to get up to 10 per-subnetwork stats
with the biggest number of rows.
The query assumes the original logs have ip
field
with the IPv4 address.
If the IPv4 address is located inside
log message
or any other text field,
then it can be extracted with the
extract
or
extract_regexp
pipes. For example, the following query
extracts IPv4 address from
_msg field
and then returns top 10
/16 subnetworks with the biggest number of logs for the last 5 minutes:
_time:5m | extract_regexp "(?P<ip>([0-9]+[.]){3}[0-9]+)" | stats by (ip:/16) count() rows | first 10 by (rows desc)
How to calculate the number of logs per every value of the given field? #
Use
stats by field
. For example, the following query
calculates the number of logs per level
field
for logs over the last 5 minutes:
_time:5m | stats by (level) count() rows
An alternative is to use
field_values pipe
:
_time:5m | field_values level
How to get unique values for the given field? #
Use
uniq pipe
. For example, the following query returns unique values for the ip field
over logs for the last 5 minutes:
_time:5m | uniq by (ip)
How to get unique sets of values for the given fields? #
Use
uniq pipe
. For example, the following query returns unique sets for (host, path) fields
over logs for the last 5 minutes:
_time:5m | uniq by (host, path)
How to return last N logs for the given query? #
Use
first pipe
. For example, the following query returns the last 10 logs with the error
word
in the
_msg field
over the logs for the last 5 minutes:
_time:5m error | first 10 by (_time desc)
It sorts the matching logs by
_time field
and then selects
the last 10 logs with the highest values for the _time field.
If the query is sent to
/select/logsql/query HTTP API
, then limit=N query arg
can be passed to it in order to return up to N latest log entries. For example, the following command returns up to 10 latest log entries with the error word:
curl http://localhost:9428/select/logsql/query -d 'query=error' -d 'limit=10'
See also:
How to calculate the share of error logs to the total number of logs? #
Use the following query:
_time:5m | stats count() logs, count() if (error) errors | math errors / logs
This query uses the following LogsQL features:
_timefilter for selecting logs on the given time range (last 5 minutes in the query above).statspipe with additional filtering for calculating the total number of logs and the number of logs with theerrorword on the selected time range.mathpipe for calculating the share of logs witherrorword comparing to the total number of logs.
How to select logs for working hours and weekdays? #
Use
day_range
and
week_range
filters.
For example, the following query selects logs from Monday to Friday in working hours [08:00 - 18:00] over the last 4 weeks:
_time:4w _time:week_range[Mon, Fri] _time:day_range[08:00, 18:00)
It uses implicit
AND logical filter
for joining multiple filters
on
_time field
.
How to find logs with the given phrase containing whitespace? #
Use
phrase filter
. For example, the following
LogsQL query
returns logs with the cannot open file phrase over the last 5 minutes:
_time:5m "cannot open file"
How to select all the logs for a particular stacktrace or panic? #
Use
stream_context pipe
for selecting surrounding logs for the given log.
For example, the following query selects up to 10 logs in front of every log message containing the stacktrace
word
,
plus up to 100 logs after the given log message:
_time:5m stacktrace | stream_context before 10 after 100
How to get the duration since the last seen log entry matching the given filter? #
Use the following query:
_time:1d ERROR
| stats max(_time) as max_time
| math round((now() - max_time) / 1s) as duration_seconds
It uses
max() stats function
for obtaining the maximum value
for the
_time field
across all the logs for the last day,
which contain the ERROR word in the
_msg field
.
Then it uses now() function at
math pipe
for calculating
the duration since the last seen log entry with the ERROR word.