Managing Queries

Queries in LogScale are written in the Query editor available from the Search page. The queries can also be saved and reused from the UI.

Writing a New Query

The Query editor is fully editable and you can enter single-line and multiple-line queries. For a comprehensive list of LogScale's query functions with descriptions, see Query Functions.

To write a new query in LogScale:

Go to Repositories and Views menu and click on the repository or view in which you want to search.
From the Search page, enter one or more search terms in the Query editor, then press Enter or click Run.
If needed, adjust the size of the Query editor by dragging manually or clicking the small Fit to query arrows to make it fit the query.

Here is an example of very simple search with just one value:

Figure 97. One-Value Search

The Query editor contains your query, and the search result appears in the Event list panel, under the Results tab.

In the example, filtering is made by selecting only events that contain the text example.com anywhere in their log message.

This is essentially the same as using grep on the Unix command-line, except with LogScale UI you can do it across all the logs, and from all servers and services at once.

Taking this example a little further, when adding a second search term to display only results for proxyRequest, the results are filtered further:

Figure 98. Two-Value Search

For much more details on the possible operations you can perform with queries, see Common Queries.

Saving Queries

Security Requirements and Controls

Delete saved queries permission
Create saved queries permission
Update saved queries permission

You can save a query for future use — you save the query, not the resulting data.

Once you have run the query, click Save from the Results panel and select the Saved search option.
In the Save query dialog box, specify whether this query is overwriting an existing one, enter a name for the query (required), and then click Save: the saved query can now be found and reloaded anytime later from the Queries dropdown → Saved tab.
You can find and reload saved queries from the Queries dropdown anytime later. From the Saved page under Queries dropdown you can also mark that query as favorite, share asset access with another user, export it as YAML, edit or delete it.
Figure 99. Saved Query

Note

Hovering a saved query and clicking Details allows you to mark that query as favorite, share access to the asset, export it as YAML, edit or delete it. For information about sharing access to a saved query, see Permissions for saved queries.

You can also save a query you use often by creating your own syntax function. See User Functions (Saved Searches) for more information.

Permissions for saved queries

Security Requirements and Controls

Change user access permission

Sometimes you might want to collaborate with another user on a saved query, but that user does not have permission to saved queries in the view. If you have permissions to do so, you can grant permissions to that user to edit and delete a particular saved query in a view. For more information about asset permissions, see Asset permissions.

If you do not have Change user access permission on the repository, you will see a list of users only (no groups) that already have at least Read permissions on the repository. You can select from these users and give them more permissions (up to the same permissions you have).

To grant access to edit or delete a saved query to another user or group:

Show:

The creator of an asset and regular users can share the same permissions that they have to the asset with users who already have read access to the view. You cannot share access with users who do not have read access to the view. You cannot share access with groups at all.
Click Details next to the saved query you want to share and click Asset sharing.
In the Users and groups with access window you see users who currently have access to the dashboard and what access they have.
Click Share saved query.
Click to select the user to get additional permissions. Note that you can only see users who already have read permission to the view. Click Next.
Select the appropriate permissions to assign. Click Grant permissions.

With Change user access permission, you can grant permission to users, including read permission if the user does not have that, and permissions that you do not have yourself. You can also see groups and group members and what permissions they have in the Groups tab, but you cannot change the permissions for the group in the Groups tab. To be able to change the permissions directly from the group tab, you must have Change organization permissions permission.
To grant additional permissions to a user that already has read access to the view:
Click Details next to the saved query you want to share and click Asset sharing.
In the Users and groups with access window you see users who currently have access to the saved query and what access they have.
Click the button next to the user or group in the list.
Click to assign the permissions. Click Save changes.
Click Close.
If you have the Change user access permission and you want to share permissions to the action with a user or group not in the list, or you want to give a group that is in the list additional permissions:
Click Share saved query.
Click to select the group or user who should get additional permissions. Click Next.
Select the appropriate permissions to assign. Be aware of the message that the user or group gets Read access to all assets in the repository automatically when assigning asset permissions for one asset in the repository. Click Next.
Confirm that you understand that you are granting Read access to all assets in the repository by adding the asset permission for the user or group. Click Grant data read access.
Click Grant permissions.

Recalling Queries

You can recall recently run queries anytime later.

Click the Queries dropdown → Recent tab
Select and click one of the recent queries to make it run again, or
Hover over your recent query and click Details → Save query to make it a saved query.

Figure 100. Recent Queries

Using Saved Queries in Interactions

You can use saved queries to save interactions on the Search page, thus avoiding recreation of the same interaction at every search. For more information on the interactions that LogScale supports, see Event List Interactions and Manage Dashboard Interactions.

You can either:

Load a saved query with interaction from the Queries dropdown and click the Saved tab (or pick a saved query from a package):
Figure 101. Loading a Saved Query
Make an interaction from a query you have created and save it in a new saved query — or save your interaction in an existing saved query.
From the Results panel, click Save and select the Saved search option to open the Save query dialog box, where you save your query along with the interaction you have created.
Figure 102. Interaction with a Saved Query