Managing Queries
Queries in LogScale are written in the Query
editor available from the Search
page. The queries can also be saved and reused from the UI.
Writing a New Query
The Query editor is fully editable and you can enter single-line and multiple-line queries. For a comprehensive list of LogScale's query functions with descriptions, see Query Functions.
To write a new query in LogScale:
Go to
menu and click on the repository or view in which you want to search.From the
Search
page, enter one or more search terms in the Query editor, then press Enter or click .If needed, adjust the size of the Query editor by dragging manually or clicking the small arrows to make it fit the query.
Here is an example of very simple search with just one value:
Figure 83. One-Value Search
The Query editor contains your query, and the search result appears in the Event list panel, under the Results tab.
In the example, filtering is made by selecting only events that contain
the text example.com
anywhere in their
log message.
This is essentially the same as using grep on the Unix command-line, except with LogScale UI you can do it across all the logs, and from all servers and services at once.
Taking this example a little further, when adding a second search term
to display only results for
proxyRequest
, the results are filtered
further:
Figure 84. Two-Value Search
For much more details on the possible operations you can perform with queries, see Common Queries.
Saving Queries
You can save a query for future use — you save the query, not the resulting data.
Once you've run your query, click Results panel and select the option.
from theIn the Save query dialog box, specify whether this query is overwriting an existing one, enter a name for the query (required), and then click : the saved query can now be found and reloaded anytime later from the Queries dropdown → Saved tab.
Hover over your saved query and click
if you want to mark the query as favorite, export it as YAML, edit or delete it.Figure 85. Saved Query
Note
You will be able to see all saved queries in the repository or view
for which you have been granted access (via the
Data read access
permission).
You can also save a query you use often by creating your own syntax function. See User Functions (Saved Searches) for more information.
Recalling Queries
You can recall recently run queries anytime later.
Click the Queries dropdown → Recent tab
Select and click one of the recent queries to make it run again, or
Hover over your recent query and click saved query.
→ to make it a
Figure 86. Recent Queries
Using Saved Queries in Interactions
You can use saved queries to save interactions on the
Search
page, thus avoiding recreation of
the same interaction at every search. For more information on the
interactions that LogScale supports, see
Event List Interactions and
Manage Dashboard Interactions.
You can either:
Load a saved query with interaction from the Queries dropdown and click the Saved tab (or pick a saved query from a package):
Figure 87. Loading a Saved Query
Make an interaction from a query you have created and save it in a new saved query — or save your interaction in an existing saved query.
From the Results panel, click and select the option to open the Save query dialog box, where you save your query along with the interaction you have created.
Figure 88. Interaction with a Saved Query