Managing Queries

Queries in LogScale are written in the Query editor available from the Search page. The queries can also be saved and reused from the UI.

Writing a New Query

The Query editor is fully editable and you can enter single-line and multiple-line queries. For a comprehensive list of LogScale's query functions with descriptions, see Query Functions.

To write a new query in LogScale:

  1. Go to Repositories and Views menu and click on the repository or view in which you want to search.

  2. From the Search page, enter one or more search terms in the Query editor, then press Enter or click Run.

  3. If needed, adjust the size of the Query editor by dragging manually or clicking the small Fit to query arrows to make it fit the query.

Here is an example of very simple search with just one value:

Screenshot showing a simple one-value search

Figure 95. One-Value Search


The Query editor contains your query, and the search result appears in the Event list panel, under the Results tab.

In the example, filtering is made by selecting only events that contain the text example.com anywhere in their log message.

This is essentially the same as using grep on the Unix command-line, except with LogScale UI you can do it across all the logs, and from all servers and services at once.

Taking this example a little further, when adding a second search term to display only results for proxyRequest, the results are filtered further:

Screenshot showing a two-value search

Figure 96. Two-Value Search


For much more details on the possible operations you can perform with queries, see Common Queries.

Saving Queries

You can save a query for future use — you save the query, not the resulting data.

  1. Once you've run your query, click Save from the Results panel and select the Saved search option.

  2. In the Save query dialog box, specify whether this query is overwriting an existing one, enter a name for the query (required), and then click Save: the saved query can now be found and reloaded anytime later from the Queries dropdown → Saved tab.

  3. Hover over your saved query and click Details if you want to mark the query as favorite, export it as YAML, edit or delete it.

    Figure 97. Saved Query


Note

You will be able to see all saved queries in the repository or view for which you have been granted access (via the Data read access permission).

You can also save a query you use often by creating your own syntax function. See User Functions (Saved Searches) for more information.

Recalling Queries

You can recall recently run queries anytime later.

  1. Click the Queries dropdown → Recent tab

  2. Select and click one of the recent queries to make it run again, or

  3. Hover over your recent query and click DetailsSave query to make it a saved query.

Screenshot Showing the Recent Queries Tab

Figure 98. Recent Queries


Using Saved Queries in Interactions

You can use saved queries to save interactions on the Search page, thus avoiding recreation of the same interaction at every search. For more information on the interactions that LogScale supports, see Event List Interactions and Manage Dashboard Interactions.

You can either:

  • Load a saved query with interaction from the Queries dropdown and click the Saved tab (or pick a saved query from a package):

    Loading a Saved Query

    Figure 99. Loading a Saved Query


  • Make an interaction from a query you have created and save it in a new saved query — or save your interaction in an existing saved query.

    From the Results panel, click Save and select the Saved search option to open the Save query dialog box, where you save your query along with the interaction you have created.

    Interaction with a Saved Query

    Figure 100. Interaction with a Saved Query