Example Queries
We will use the k8s sample logs data to demonstrate the sample queries that you can use.
- To search for all the fields containing the word
error
. This is a case sensitive search:match_all('error')
- match_all searches only the fields that are configured for full text search. Default set of fields are
msg, message, log, logs
. If you want more fields to be scanned during full text search, you can configure them under stream settings. You should usestr_match
for full text search in specific fields.
- Search only
log
field for error. This is much more efficient thanmatch_all
as it search in a single field.str_match(log, 'error')
- To do a case insensitive search for
error
match_all_ignore_case('error')
- To search for all log entries that have log entries where
code is 200
. code is a numeric fieldcode=200
- To search for all log entries where code field does not contain any value
- ✅
code is null
- ❌ code=' ' will not yield right results
- ✅
- To search for all log entries where code field has some value
- ✅
code is not null
- ❌ code!=' ' will not yield right results
- ✅
- code > 399
code>399
- code >= 400
- ✅
code >= 400
- ❌ code=>400 will not work
- ✅
- query to draw line chart of http_status codes on a timeline
SELECT histogram(_timestamp) as ts_histogram, count(case when code=200 then 1 end) as code_200_count, count(case when code=401 then 1 end) as code_401_count, count(case when code=500 then 1 end) as code_500_count FROM quickstart1 GROUP BY ts_histogram