Skip to content

Example Queries

We will use the k8s sample logs data to demonstrate the sample queries that you can use.

  1. To search for all the fields containing the word error. This is a case sensitive search:
    • match_all('error')
    • match_all searches only the fields that are configured for full text search. Default set of fields are msg, message, log, logs. If you want more fields to be scanned during full text search, you can configure them under stream settings. You should use str_match for full text search in specific fields.
  2. Search only log field for error. This is much more efficient than match_all as it search in a single field.
    • str_match(log, 'error')
  3. To do a case insensitive search for error
    • match_all_ignore_case('error')
  4. To search for all log entries that have log entries where code is 200 . code is a numeric field
    • code=200
  5. To search for all log entries where code field does not contain any value
    • code is null
    • ❌ code=' ' will not yield right results
  6. To search for all log entries where code field has some value
    • code is not null
    • ❌ code!=' ' will not yield right results
  7. code > 399
    • code>399
  8. code >= 400
    • code >= 400
    • ❌ code=>400 will not work
  9. query to draw line chart of http_status codes on a timeline
    •  SELECT histogram(_timestamp) as ts_histogram, 
count(case when code=200 then 1 end) as code_200_count, 
count(case when code=401 then 1 end) as code_401_count, 
count(case when code=500 then 1 end) as code_500_count FROM quickstart1 GROUP BY ts_histogram