Query cheat sheet
A one-page summary. Full detail in Query language and Pipeline operators.
Matching
error | substring on message/raw |
"error" | exact term (no substring) |
"upstream call failed" | phrase |
compl* *pleted com?leted | wildcards (* any, ? one char) |
Everything is case-insensitive.
Fields & ranges
level:error | field equals (substring) |
error.type:Timeout | nested (dotted) field |
field:"two words" | quoted field value |
latency_ms:>1000 | numeric > >= < <= |
Booleans
a b | implicit AND |
a AND b / a OR b | explicit |
-term / NOT term | negation |
(a OR b) AND c | grouping |
Scope
index:nginx index:*webhooks | partition filter (wildcards ok) |
source:checkout | per-event source tag |
&env=prod (URL) | override the active environment |
* | everything in range |
Pipeline
<search> | <stage> | <stage> …| Stage | Example |
|---|---|
stats | `… |
| `… | |
timechart | `… |
top / rare | `… |
sort | `… |
head / tail | `… |
where | `… |
fields | `… |
rename | `… |
Aggregations: count, sum, avg/mean, min, max, p50/median, p95, p99, earliest/latest (timestamp). where ops: = != > >= < <=. Span units: ms s m h d.
Recipes
bash
level:error | stats count by service | sort -count # errors per service
* | timechart span=5m p95(latency_ms) by service # latency over time
elb_status_code:>=500 | top 5 target_group # worst targets
* | stats count by service | where count > 1000 # noisy services