Grammar Subset

This subset isn't sufficient for parsing LogScale queries. See Appendix A, Quirks for more information.

none
Query ::= Pipeline?
none
Pipeline ::= PipelineStep ( '|' PipelineStep )*
none
PipelineStep ::=
  Filter 
  | FunctionCall 
  | EvalFunctionShorthand 
  | EvalShorthand 
  | FieldShorthand 
  | Case 
  | Match 
  | StatsShorthand 
  | SavedQuery

Filters

none
Filter ::= LogicalAndFilter
none
LogicalAndFilter ::=
  LogicalOrFilter ('AND'? LogicalOrFilter)*
none
LogicalOrFilter ::=
  UnaryFilter ('OR' UnaryFilter)*
none
UnaryFilter ::=
  'NOT'* PrimaryFilter
none
PrimaryFilter ::=
  FieldName '=' EqualityPattern |
  FieldName 'like' LikePattern |
  FieldName '!=' EqualityPattern |
  FieldName '<' Number |
  FieldName '<=' Number |
  FieldName '>' Number |
  FieldName '>=' Number |
  FreeTextPattern |
  'true' |
  'false' |
  '(' Filter ')'
none
FieldName ::= UnquotedFieldName | QuotedString

A Filter (filter expression) can be a step in a pipeline. Filter is a less general kind of expression compared to an expression. Neither is a subset of the other, but Filter is particularly quirky.

Implicit AND is supported in the Filter production so be aware that this:

logscale
foo < 42 + 3

means:

logscale
(foo < 42) AND "*+*" AND "*3*"

LogicalOrFilter1 LogicalOrFilter2 is shorthand for LogicalOrFilter1 AND LogicalOrFilter2.

LogicalOrFilter1 AND LogicalOrFilter2 is shorthand for LogicalOrFilter1 | LogicalOrFilter2.

UnaryFilter1 OR UnaryFilter2 is shorthand for case { UnaryFilter1; UnaryFilter2 }.

However, UnaryFilter1 and UnaryFilter2 can't be a Regex with named groups.

Patterns

none
FreeTextPattern ::=
  UnquotedPattern | QuotedString | Regex | QueryParameter
none
LikePattern ::=
  UnquotedPattern | QuotedString | QueryParameter
none
EqualityPattern ::=
  AnchoredPattern | Regex | QueryParameter
none
AnchoredPattern ::=
  UnquotedPattern | QuotedString

When UnquotedPattern or QuotedString are used as patterns, the asterisk character (*) is a wildcard, meaning that it matches anything. The wildcard can't be escaped. Regular expressions can be used to search for *.

Patterns are sensitive to case. For example, MyClass matches MyClass, but not myclass. Regular expressions can be used to disable case sensitivity in matches using the i flag.

Anchored Patterns

We say that a pattern is anchored if it must match the entire string. For example, if the pattern bar is anchored, it matches bar, but not foobar, barbaz, or foobarbaz.

Regular expressions are anchored only if explicit anchors are used in the regular expression, but unquoted and quoted strings can be anchored or not depending on how they're used. For example, the regular expression /bar/ matches bar, foobar, barbaz, and foobarbaz. The regular expression /^bar/ matches bar, and barbaz, but not foobar, and foobarbaz.

The patterns AnchoredPattern, and EqualityPattern are always anchored (except for Regex, see Patterns).

The patterns FreeTextPattern, LikePattern aren't anchored (except for Regex, see Patterns).

When UnquotedPattern or QuotedString aren't anchored, they are equivalent to having * prepended and appended. For example, the pattern "foo*" is equivalent to "*foo**" or "*foo*" when not anchored.

The FreeTextPattern * is equivalent to true, this means that it will match any event — even one without any fields. Also, any number of * means the same as *, so "", ***, and "***" are all equivalent to true.

The EqualityPattern * is not equivalent to true, instead it can be used to look for the presence of a field. For example, my_field = * matches all events that have a field named my_field, and my_field != * matches any event that doesn't. To look for empty (non-empty) fields, use my_field = "" (my_field != ""). Since "" anchored here, it's not equivalent to *; however, "*", "***", **, all are.

Query Parameters

none
QueryParameter ::=
  '?' QueryParameterName 
  | '?{' QueryParameterName '=' QueryParameterDefaultValue '}'
none
QueryParameterName ::= UnquotedPattern 
| QuotedString
none
QueryParameterDefaultValue ::= UnquotedPattern 
| QuotedString

A query can be parameterized so that some patterns can be specified later. This is useful, for example, in dashboard widgets: see some Examples of Parameterized Dashboards.

Arguments to queries are never interpreted as regular expressions. Consider, for example, this query:

logscale
class = ?my_class

This query has one query parameter my_class. If the value for my_class is set to /MyClass/, it is equivalent to:

logscale
class = "/MyClass/"

Not to:

logscale
class = /MyClass/

Unquoted Strings

none
UnquotedPattern

UnquotedFieldName

An UnquotedPattern is a non-empty sequence of characters.

An UnquotedFieldName is a non-empty sequence of characters.

The exact characters supported is beyond the scope of this document — see Appendix C, Character Table for a table of which characters are supported in the character set ISO/IEC 8859-1. LogScale accepts the full Unicode character set, but not all details are included here. We recommend limiting to Unicode identifiers for UnquotedPattern and UnquotedFieldName.

The reserved character / is also supported in UnquotedPattern. However, an UnquotedPattern can't start with / (one slash) and can't end with // (two slashes). See Slashes for more information on slashes.

  • UnquotedPattern supports the * wildcard character, but it doesn't always mean a wildcard. UnquotedPattern doesn't support the JSON array index syntax.

  • UnquotedFieldName supports the JSON array index syntax, for example, foo.bar[42], but not the * character (wildcard).

Quoted Strings

none
QuotedString

A QuotedString is a sequence of characters surrounded by ". A QuotedString can't span multiple lines, but \n can be used to include the newline character. \" can be used to include " in the string. \\ can be used to include the character \, and we recommend not including any other sequences of \ in quoted strings.

Regular Expressions

none
Regex

A Regex is a sequence of characters surrounded by /.

A Regex can't span multiple lines, but \n can be used to include the newline character.

\/ can be used to include \ in the regular expression. Other characters can also be preceeded by \ in regular expressions.

For more information, see Regular Expression Syntax Patterns.

By default, regular expressions aren't anchored, see Anchored Patterns.

A regular expression can be followed by flags. The supported flags are d, m, and i.

Numbers

none
Number

Numbers in LogScale are decimals with optional floating point or scientific notation.

Function Call

none
FunctionCall ::= FunctionName '(' FunctionArguments? ')'

FunctionArguments ::=
    NamedFunctionArgument (',' FunctionArguments)? |
    UnnamedFunctionArgument (',' FunctionArguments)?
none
NamedFunctionArgument ::=
    FieldName '=' Expression
none
UnnamedFunctionArgument ::=
    Expression

One occurrence of UnnamedFunctionArgument at most is supported in FunctionArguments.

Expression

none
Expression ::=
  Expression ComparisonOperator AdditiveExpression |
  AdditiveExpression
none
ComparisonOperator ::=
  '==' | '!=' | '>=' | '<=' | '>' | '<'
none
AdditiveExpression ::=
  AdditiveExpression AdditiveOperator MultiplicativeExpression |
  MultiplicativeExpression
none
AdditiveOperator ::=
  '+' | '-'
none
MultiplicativeExpression ::=
  MultiplicativeExpression MultiplicativeOperator UnaryExpression |
  UnaryExpression
none
MultiplicativeOperator ::=
  '*' | '/' | '%'
none
UnaryExpression ::=
  UnaryOperator? PrimaryExpression
none
UnaryOperator ::=
  '-' | '!'
none
PrimaryExpression ::=
  '(' Expression ')' |
  Subquery |
  FunctionCall |
  ArrayExpression |
  QueryParameter |
  BareWord |
  QuotedString
none
Subquery ::= '{' Pipeline '}'

An Expression is similar to an expression from general purpose languages, such as Java or C. It's used as an argument to functions or the right-hand side of := (Eval Shorthand).

Bare Words

none
BareWord ::=
  FieldName |
  UnquotedPattern

Caveat: UnquotedPattern is only used if it starts with a character that can't start a FieldName. For example, */*/*https://www.example.com/ is a BareWord, but https:*/*/*https://www.example.com/ isn't.

Array Expression

none
ArrayExpression ::=
  '[' (ArrayElement (',' ArrayElement)* )? ']'
none
ArrayElement ::=
  EvalFunctionShorthand | Expression

Eval Shorthand

none
EvalFunctionShorthand ::=
 FieldName ':=' FunctionCall

Shorthand for adding as=FieldName to argument list of FunctionCall.

none
EvalShorthand ::=
  FieldName ':=' Expression

Shorthand for:

logscale
eval(FieldName = Expression)

Note that eval() doesn't support ArrayExpression and Subquery expressions.

Field Shorthand

none
FieldShorthand ::= FieldName '=~' FunctionCall

Shorthand for adding field=FieldName to argument list of FunctionCall.

Case

none
Case ::=
  'case' '{' Pipeline (';' Pipeline)* '}'

Runs each pipeline in sequence until one matches an event.

Match

none
Match ::=
  FieldName 'match' '{' MatchPipeline (';' MatchPipeline)* '}'
none
MatchPipeline ::=
  MatchGuard => Pipeline
none
MatchGuard ::=
  '*'
  Regex |
  FunctionCall |
  QueryParameter |
  AnchoredPattern

Match evaluates the first Pipeline whose MatchGuard matches the current event. Match is not a shorthand for Case.

A MatchGuard is evaluated as follows:

If MatchGuard is on the form '*', the current event is matched.

Surprisingly enough, this is equivalent to *, not MyField = *. In other words, not a field existence test.

Otherwise, if MatchGuard is on the form Regex, the current event is matched if this matches: FieldName = Regex.

Otherwise, if MatchGuard is on the form FunctionCall, the current event is matched if this matches: FieldName =~ FunctionCall.

Otherwise, if MatchGuard is on the form AnchoredPattern, the current event is matched if this matches: FieldName=~ AnchoredPattern.

Saved Query

none
SavedQuery ::=
  '$' (UnquotedPattern | QuotedString) '(' SavedQueryArguments? ')'
none
SavedQueryArguments ::=
  SavedQueryArgument (',' SavedQueryArgument)*
none
SavedQueryArgument ::=
  (UnquotedPattern | QuotedString) '=' (UnquotedPattern | QuotedString)

Stats Shorthand

none
StatsShorthand ::= ArrayExpression

[ e1 , e2 ,, e3 ] is shorthand for stats([ e1 , e2 ,, e3 ]).