Grammar Subset

This subset is not sufficient for parsing LogScale queries. See Appendix A, Quirks for more information.

Query

none Syntax
Query ::= Pipeline?

Pipeline

none Syntax
Pipeline ::= PipelineStep ( '|' PipelineStep )*

PipelineStep

none Syntax
PipelineStep ::=
  Filter 
  | FunctionCall 
  | EvalFunctionShorthand 
  | EvalShorthand 
  | FieldShorthand 
  | Case 
  | Match 
  | StatsShorthand 
  | SavedQuery

Filters

none Syntax
Filter ::= LogicalAndFilter
none Syntax
LogicalAndFilter ::=
  LogicalOrFilter ('AND'? LogicalOrFilter)*
none Syntax
LogicalOrFilter ::=
  UnaryFilter ('OR' UnaryFilter)*
none Syntax
UnaryFilter ::=
  'NOT'* PrimaryFilter
none Syntax
PrimaryFilter ::=
  FieldName '=' EqualityPattern |
  FieldName 'like' LikePattern |
  FieldName '!=' EqualityPattern |
  FieldName '<' Number |
  FieldName '<=' Number |
  FieldName '>' Number |
  FieldName '>=' Number |
  FreeTextPattern |
  'true' |
  'false' |
  '(' Filter ')'
none Syntax
FieldName ::= UnquotedFieldName | QuotedString

A Filter (filter expression) can be a step in a pipeline. Filter is a less general kind of expression compared to an expression. Neither is a subset of the other, but Filter is particularly quirky.

Implicit AND is supported in the Filter production so be aware that this:

logscale Syntax
foo < 42 + 3

means:

logscale Syntax
(foo < 42) AND "*+*" AND "*3*"

LogicalOrFilter1 LogicalOrFilter2 is shorthand for LogicalOrFilter1 AND LogicalOrFilter2.

LogicalOrFilter1 AND LogicalOrFilter2 is shorthand for LogicalOrFilter1 | LogicalOrFilter2.

UnaryFilter1 OR UnaryFilter2 is shorthand for case { UnaryFilter1; UnaryFilter2 }.

However, UnaryFilter1 and UnaryFilter2 cannot be a Regex with named groups.

Patterns

none Syntax
FreeTextPattern ::=
  UnquotedPattern | QuotedString | Regex | QueryParameter
none Syntax
LikePattern ::=
  UnquotedPattern | QuotedString | QueryParameter
none Syntax
EqualityPattern ::=
  AnchoredPattern | Regex | QueryParameter
none Syntax
AnchoredPattern ::=
  UnquotedPattern | QuotedString

When UnquotedPattern or QuotedString are used as patterns, the asterisk character (*) is a wildcard, meaning that it matches anything. The wildcard cannot be escaped. Regular expressions can be used to search for *.

Patterns are sensitive to case. For example, MyClass matches MyClass, but not myclass. Regular expressions can be used to disable case sensitivity in matches using the i flag.

Anchored Patterns

We say that a pattern is anchored if it must match the entire string. For example, if the pattern bar is anchored, it matches bar, but not foobar, barbaz, or foobarbaz.

Regular expressions are anchored only if explicit anchors are used in the regular expression, but unquoted and quoted strings can be anchored or not depending on how they're used. For example, the regular expression /bar/ matches bar, foobar, barbaz, and foobarbaz. The regular expression /^bar/ matches bar, and barbaz, but not foobar, and foobarbaz.

The patterns AnchoredPattern, and EqualityPattern are always anchored (except for Regex, see Patterns).

The patterns FreeTextPattern, LikePattern are not anchored (except for Regex, see Patterns).

When UnquotedPattern or QuotedString are not anchored, they are equivalent to having * prepended and appended. For example, the pattern "foo*" is equivalent to "*foo**" or "*foo*" when not anchored.

The FreeTextPattern * is equivalent to true, this means that it will match any event — even one without any fields. Also, any number of * means the same as *, so "", ***, and "***" are all equivalent to true.

The EqualityPattern * is not equivalent to true, instead it can be used to look for the presence of a field. For example, my_field = * matches all events that have a field named my_field, and my_field != * matches any event that doesn't. To look for empty (non-empty) fields, use my_field = "" (my_field != ""). Since "" is anchored here, it is not equivalent to *; however, "*", "***", **, all are.

Query Parameters

none Syntax
QueryParameter ::=
  '?' QueryParameterName 
  | '?{' QueryParameterName '=' QueryParameterDefaultValue '}'
none Syntax
QueryParameterName ::= UnquotedPattern 
| QuotedString
none Syntax
QueryParameterDefaultValue ::= UnquotedPattern 
| QuotedString

A query can be parameterized so that some patterns can be specified later. This is useful, for example, in dashboard widgets: see some ???.

Arguments to queries are never interpreted as regular expressions. Consider, for example, this query:

logscale Syntax
class = ?my_class

This query has one query parameter my_class. If the value for my_class is set to /MyClass/, it is equivalent to:

logscale Syntax
class = "/MyClass/"

Not to:

logscale Syntax
class = /MyClass/

Unquoted Strings

none Syntax
UnquotedPattern

UnquotedFieldName

An UnquotedPattern is a non-empty sequence of characters.

An UnquotedFieldName is a non-empty sequence of characters.

The exact characters supported is beyond the scope of this document — see Appendix C, Character Table for a table of which characters are supported in the character set ISO/IEC 8859-1. LogScale accepts the full Unicode character set, but not all details are included here. We recommend limiting to Unicode identifiers for UnquotedPattern and UnquotedFieldName.

The reserved character / is also supported in UnquotedPattern. However, an UnquotedPattern cannot start with / (one slash) and cannot end with // (two slashes). See Slashes for more information on slashes.

  • UnquotedPattern supports the * wildcard character, but it does not always mean a wildcard. UnquotedPattern does not support the JSON array index syntax.

  • UnquotedFieldName supports the JSON array index syntax, for example, foo.bar[42], but not the * character (wildcard).

Quoted Strings

none Syntax
QuotedString

A QuotedString is a sequence of characters surrounded by ". A QuotedString cannot span multiple lines, but \n can be used to include the newline character. \" can be used to include " in the string. \\ can be used to include the character \, and we recommend not including any other sequences of \ in quoted strings.

Regular Expressions

none Syntax
Regex

A Regex is a sequence of characters surrounded by /.

A Regex cannot span multiple lines, but \n can be used to include the newline character.

\/ can be used to include \ in the regular expression. Other characters can also be preceeded by \ in regular expressions.

For more information, see Regular Expression Syntax Patterns.

By default, regular expressions are not anchored, see Anchored Patterns.

A regular expression can be followed by flags. The supported flags are d, m, and i.

Numbers

none Syntax
Number

Numbers in LogScale are decimals with optional floating point or scientific notation.

Function Call

none Syntax
FunctionCall ::= FunctionName '(' FunctionArguments? ')'

FunctionArguments ::=
    NamedFunctionArgument (',' FunctionArguments)? |
    UnnamedFunctionArgument (',' FunctionArguments)?
none Syntax
NamedFunctionArgument ::=
    FieldName '=' Expression
none Syntax
UnnamedFunctionArgument ::=
    Expression

One occurrence of UnnamedFunctionArgument at most is supported in FunctionArguments.

Expression

none Syntax
Expression ::=
  Expression ComparisonOperator AdditiveExpression |
  AdditiveExpression

From v1.192 the expression syntax has been updated to support expression attributes:

none Syntax
Expression ::=
  ComparativeExpression ExpressionAttribute*

ExpressionAttribute ::=
  Identifier ':' ComparativeExpression

ComparativeExpression ::=
  Expression ComparisonOperator AdditiveExpression |
  AdditiveExpression
none Syntax
ComparisonOperator ::=
  '==' | '!=' | '>=' | '<=' | '>' | '<'

From v1.192, a modified format of this syntax is available to support the link operator:

none Syntax
ComparisonOperator ::=
  '==' | '!=' | '>=' | '<=' | '>' | '<' | '<=>'
none Syntax
AdditiveExpression ::=
  AdditiveExpression AdditiveOperator MultiplicativeExpression |
  MultiplicativeExpression
none Syntax
AdditiveOperator ::=
  '+' | '-'
none Syntax
MultiplicativeExpression ::=
  MultiplicativeExpression MultiplicativeOperator UnaryExpression |
  UnaryExpression
none Syntax
MultiplicativeOperator ::=
  '*' | '/' | '%'
none Syntax
UnaryExpression ::=
  UnaryOperator? PrimaryExpression
none Syntax
UnaryOperator ::=
  '-' | '!'
none Syntax
PrimaryExpression ::=
  '(' Expression ')' |
  Subquery |
  FunctionCall |
  ArrayExpression |
  QueryParameter |
  BareWord |
  QuotedString
none Syntax
Subquery ::= '{' Pipeline '}'

From v1.192, a modified format of this syntax is available to support an identifier within the subquery clause:

none Syntax
Subquery ::= ( Identifier ':' )? '{' Pipeline '}'

Where Identifier is a regular expression matching /[a-z][a-z0-9_]*/i.

An Expression is similar to an expression from general purpose languages, such as Java or C. It is used as an argument to functions or the right-hand side of := (Eval Shorthand).

Bare Words

none Syntax
BareWord ::=
  FieldName |
  UnquotedPattern

Caveat: UnquotedPattern is only used if it starts with a character that cannot start a FieldName. For example, */*/*https://www.example.com/ is a BareWord, but https:*/*/*https://www.example.com/ isn't.

Array Expression

none Syntax
ArrayExpression ::=
  '[' (ArrayElement (',' ArrayElement)* )? ']'
none Syntax
ArrayElement ::=
  EvalFunctionShorthand | Expression

Eval Shorthand

none Syntax
EvalFunctionShorthand ::=
 FieldName ':=' FunctionCall

Shorthand for adding as=FieldName to argument list of FunctionCall.

none Syntax
EvalShorthand ::=
  FieldName ':=' Expression

Shorthand for:

logscale Syntax
eval(FieldName = Expression)

Note that eval() does not support ArrayExpression and Subquery expressions.

Field Shorthand

none Syntax
FieldShorthand ::= FieldName '=~' FunctionCall

Shorthand for adding field=FieldName to argument list of FunctionCall.

Case

none Syntax
Case ::=
  'case' '{' Pipeline (';' Pipeline)* '}'

Runs each pipeline in sequence until one matches an event.

Match

none Syntax
Match ::=
  FieldName 'match' '{' MatchPipeline (';' MatchPipeline)* '}'
none Syntax
MatchPipeline ::=
  MatchGuard => Pipeline
none Syntax
MatchGuard ::=
  '*'
  Regex |
  FunctionCall |
  QueryParameter |
  AnchoredPattern

Match evaluates the first Pipeline whose MatchGuard matches the current event. Match is not a shorthand for Case.

A MatchGuard is evaluated as follows:

If MatchGuard is on the form '*', the current event is matched.

Surprisingly enough, this is equivalent to *, not MyField = *. In other words, not a field existence test.

Otherwise, if MatchGuard is on the form Regex, the current event is matched if this matches: FieldName = Regex.

Otherwise, if MatchGuard is on the form FunctionCall, the current event is matched if this matches: FieldName =~ FunctionCall.

Otherwise, if MatchGuard is on the form AnchoredPattern, the current event is matched if this matches: FieldName=~ AnchoredPattern.

Saved Query

none Syntax
SavedQuery ::=
  '$' (UnquotedPattern | QuotedString) '(' SavedQueryArguments? ')'
none Syntax
SavedQueryArguments ::=
  SavedQueryArgument (',' SavedQueryArgument)*
none Syntax
SavedQueryArgument ::=
  (UnquotedPattern | QuotedString) '=' (UnquotedPattern | QuotedString)

Stats Shorthand

none Syntax
StatsShorthand ::= ArrayExpression

[ e1 , e2 ,, e3 ] is shorthand for stats([ e1 , e2 ,, e3 ]).