Managing Queries

Queries in LogScale are written in the Query editor available from the Search page. The queries can also be saved and reused from the UI.

Writing a New Query

The Query editor is fully editable and you can enter single-line and multiple-line queries. For a comprehensive list of LogScale's query functions with descriptions, see Query Functions.

To write a new query in LogScale:

  1. Go to Repositories and Views page, and click on the repository or view in which you want to search.

  2. From Search, enter one or more search terms in the Query editor, and press Enter or click Run.

  3. If needed, adjust the size of the query editor by dragging manually or clicking the small Fit to query arrows on the right to make it fit the query.

Here is an example of very simple search with just one value:

One-Value Search

Figure 94. One-Value Search


The Query editor contains a query, and the search results appear in the Event list in the Results panel.

In the example, we are filtering by selecting only events that contain the text example.com anywhere in their log message.

This is essentially the same as using grep on the Unix command-line, except with LogScale UI you can do it across all the logs, and from all servers and services at once.

Taking this example a little further, when we add a second search term to display only results for proxyRequest, the results are further filtered:

Two-Value Search

Figure 95. Two-Value Search


For much more details on the possible operations you can perform with queries, see Common Queries.

Saving Queries

You can save a query for future use — you save the query, not the resulting data.

  1. In the Results panel, click Save, and select the Saved search option.

  2. In the appearing Save query dialog box, specify whether this query is overwriting an existing one, enter a name for the query (required), and then click Save.

  3. You can find and reload saved queries from the Queries dropdown anytime later. From the Saved page under Queries dropdown you can also mark that query as favorite, export it as YAML, edit or delete it.

    Do the following:

    From the Queries dropdown, click the Saved page, and then select the relevant saved query.

    You can make a saved search load automatically when opening the repository.

    Note

    You will be able to see all saved searches in the repository or view you are granted access for (via the Data read access permission).

    Saved Queries

    Figure 96. Saved Queries


    Hovering a saved query and clicking Details allows you to mark that query as favorite, export it as YAML, edit or delete it.

    You can also save a query you use often by creating your own syntax function. See User Functions (Saved Searches) for more information.

Recalling Queries

You can recall recently run queries or saved queries from the Queries dropdown anytime later.

From the Queries dropdown, click the Recent page, and then select one of the recent queries or click the Saved page to select a saved query.

Recent Queries

Figure 97. Recent Queries


Using Saved Queries in Interactions

You can use saved queries to save interactions on the Search page, thus avoiding recreation of the same interaction at every search. For more information on the interactions LogScale support, see Event List Interactions and Manage Dashboard Interactions.

You can either:

  • Load a saved query with interaction from Queries dropdown and clicking the Saved page (or pick a saved query from a package):

    Loading a Saved Query

    Figure 98. Loading a Saved Query


  • Make an interaction from a query you have created and save it in a new saved query — or save your interaction in an existing saved query.

    From the Results panel, click Save, and select the Saved search option to open the Save query dialog box, where you save your query along with the interaction you have created.

    Interaction with a Saved Query

    Figure 99. Interaction with a Saved Query