Query language
HeliosLogs has a compact, pipelined query language: a search expression that selects events, optionally followed by pipe operators that aggregate and reshape the results. This page covers the search expression; see Pipeline operators for the | ... stages, and the cheat sheet for a one-page summary.
Case-insensitive everywhere
Field names and values match case-insensitively. level:error, LEVEL:Error, and level:ERROR are identical.
Matching text
| Pattern | Matches |
|---|---|
error | A bare term — substring match on message/raw. error also matches inside errors, mirror. |
compl | Substring: e.g. "request completed". |
"complete" | Quoted — an exact term, no substring expansion. |
"upstream call failed" | A quoted phrase (words in order). |
Bare terms search the text fields (message and the full-original raw), so they find a value no matter which field it lives in. Quote a term to turn off the substring behavior.
Wildcards
* (any number of characters) and ? (a single character) work anywhere in a term:
compl* *pleted *omplet* com?letedField filters
Match any JSON key present in your events as key:value — there's no fixed schema:
level:error
service:payment-gateway
http.status_code:502
user_id:cus_abcDotted keys address nested fields. Quote a value with spaces: error_msg:"connection refused".
Numeric ranges
On numeric fields, use comparison operators:
latency_ms:>1000
elb_status_code:>=500
duration:<=100
retries:<3Both integer and float values match. (Lexical/string ranges aren't supported.)
Booleans and grouping
- Implicit AND between terms:
level:error service:api. - Explicit
AND,OR,NOT. -termis shorthand forNOT term.- Parentheses group sub-expressions.
severity:error -service:web
(severity:error OR severity:fatal) AND service:payment-gateway
level:error NOT "health check"Parenthesize mixed AND/OR
When you combine AND and OR in one expression, add parentheses to make the grouping explicit and unambiguous — it's clearer for the next person reading the query, too.
Scope filters
| Filter | Effect |
|---|---|
index:<pattern> | Restrict to matching indexes. Wildcards allowed: index:stripe-webhooks, index:*webhooks, index:stripe-* OR index:github-*. |
source:<value> | Match the per-event source tag. |
| environment | Implicit — every search runs against the active environment (top-nav picker). Override per request with &env=<name> on the URL. |
Match everything
* (or an empty query) returns everything in the selected time range — handy as a starting point before adding filters, or as the base for an aggregation:
*
* | stats count by serviceWorked examples
| Query | Finds |
|---|---|
info | events containing "info" anywhere |
payment-gateway | the hyphenated identifier, kept whole |
*_ms | tokens ending in _ms (latency_ms, duration_ms) |
level:error | events whose level field contains "error" |
service:payment-gateway error_type:UpstreamUnavailable | implicit AND on two fields |
"upstream call failed" | a phrase match |
(severity:error OR severity:fatal) AND service:api | grouped boolean |
latency_ms:>1000 | a numeric range |
index:*webhooks level:error | a partition filter plus a field filter |
Ready to aggregate? Continue to Pipeline operators.