All Collections
Coralogix tutorials
Log query - simply retrieve your data
Log query - simply retrieve your data

This tutorial will help you in querying your logs in Coralogix

Shuki Shahrabany avatar
Written by Shuki Shahrabany
Updated over a week ago

Coralogix brings a whole new approach to machine data analytics with its Loggregation and anomaly detection capabilities, but sometimes all you need is to query your data and get fast reliable results.

Coralogix's Log query brings an intuitive interface with a flexible query and Grid layout options to allow you to query any data in seconds. In addition, Coralogix's log query uses the unique capabilities of log template identification to enable you to query a log template regardless of its parameters without using any query language or defining regular expressions.

Tutorial:

1 - Click the Logs icon on your dashboard to open the log query interface

2 - Select your query type: Free text search or template search. Free text search will allow you to query your logs with any text or metadata. Template search will enable you to query a log record regardless of its variables and get all the results for that log event without using query language or regular expressions.

3 - Define the query text and time window (default is last 15 min), note that you can also run queries based on Elastic 'simple query', just hover the test tube icon (on the top left to the query space) for instructions. Click 'GO' to get results in seconds, or 'Clear' to reset the query back to default. Once you get the query results, you can see that the occurrences graph above the retrieved log records was changed as we filtered out log entries that didn't answer our search criteria.

Coralogix supports the following query types:

Unstructured logs

  • Google-styled search query - match any log with the combination of words queried on the entire log payload. Querying 'Coralogix is' will return the logs 'Coralogix is the best', 'Coralogix query is flexible' and 'is Coralogix the best (single and double quotes are discarded).

  • To match an exact string use the following query form: '/text:"your string"/'. Thus '/text:"Coralogix is"/' will return just the log 'Coralogix is the best' (Note that you use '/' before and after the query text).

JSON structured logs

  • Elastic simple query - with word tokenization according to word delimiters*. Querying '/Key:first-name/' will return both the log "Key":"my first name is John" and "Key":"the first participant's name is John". You can add a regex to the query with the following convention: '/user_id:/.*a8ffe//', which will return only logs whose user_id value ends with a8ffe; e.g. "user_id":"10aefa8ffe" (Note that you use '/' before and after the query text).

  • Keyword search - add the '.keyword' suffix to the field name to query data without tokenization so that '/Key.keyword:first-name*/' will return the log "Key":"first-name: John" and also "Key":"first-name: Bob" but won't return the log "Key":"The first participant's name is John" as it looks to match the exact phrase 'first-name'. Note that you need to use forward slash before and after your query string. You can add a Regex to the keyword query with the following convention: '/Key.keyword:/.*first.*John.*//', which will return only the logs "Key":"first-name: John" and the log "Key":"The first participant's name is John" (Note that you use '/' before and after your Regex).

  • Numeric search - add the '.numeric' suffix to the field name to query numeric data so that '/Key.numeric:[5 TO 9]/' will return the log "Key":6 and also "Key":8 but won't return the log "Key":11. Note that you need to use forward slash before and after your query string.

Note:

  • Word delimiter* tokenizers are available here.

  • In order for a query to match, the searched phrase/word should match a full token.

Example 1

our log:
{
     "user" : "John"
     "post" : "Going for cookies cream is a real treat"
}
The field 'post' has the following tokens: going, for, cookies, cream, is, a, real, treat
The query: /post:cook/ - no match as it isn't matching any token
The query: /post:cream/ - fully matches the token cream
The query: /post:cook*/ - fully matches the token cookies
The query (using double quotes to capture a phrase): /post:"real treat"/ - fully matches the exact combination, 'real treat', hence we have a match. /post:real treat/ wouldn't match as there is no such token as 'real treat'.

Example 2

our log:
{
     "aircraft" : "Boeing"
     "message" : "flight number fly1234paris has been delayed"
}
The field 'message' has the following tokens: flight, number, fly1234paris, has, been, delayed
The query: /message:delayed/ - fully matches the token delayed
The query: /message:paris/ - no match as it isn't matching any token
The query: /message:fly1234paris/ - fully matches the token fly1234paris

Example 3

When performing a keyword search (by adding the suffix .keyword to the Elastic field's name as described in #3), no tokenization is performed and the 'key.keyword' field populates the entire string (with one limitation - if its string is longer than 70 characters it is truncated so 'key.keyword' holds the first 70 characters of its own string).

our log:
{
    "aircraft" : "Boeing"
     "message" : "flight number fly1234paris has been delayed"
}
message.keyword token is the entire string: flight number fly1234paris has been delayed
The query: /message.keyword:delayed/ - no match as it isn't matching the token in full
The query: /message.keyword:flight/ - no match as it isn't matching the token in full
The query: /message.keyword:flight/ - fully matches the message.keyword field token
The query (using Regex): /message.keyword:/.paris.*/ - fully matches the message.keyword field token

4 - To query the surroundings of a log on your results simply mark that log, click the 'Query selected log before & After' button, and select the desired timeframe. This will retrieve all logs prior and after the selected log from the same application and subsystem.

5 - To view long text logs, mark a text for querying/alerting, or to visualize JSON fields, simply mark a log and click the 3 dots that will appear or press the 'space' button.

6 - Use Loggregation to view the unique appearances of your logs and their variable models (Note it takes 24H for Loggregation to become active)

Static query link

You can retrieve your data by performing queries and opening public saved views within the URL address.

Examples:

https://YOUR_TEAM_NAME.coralogix.com/#/query/logs?query=YOUR_QUERY.

https://YOUR_TEAM_NAME.coralogix.com/#/query/logs?query=Field_Name_1:Value_1%20AND%20Field_Name_2:Value_2&startTime=1591740610000&endTime=1591741210000.

https://YOUR_TEAM_NAME.coralogix.com/#/query/logs?viewName=YOUR_VIEW

Notes:

  • The time parameter should be in epoch 13 format.

  • We support static query links only to public views.

  • When a view is saved with query parameters the time frame will be the time range of the saved query.

Start using Coralogix now and enjoy a whole new world of simple and flexible ways to retrieve your data

Did this answer your question?