Query syntax

Use queries in the Log Explorer page, in alert rules or in dashboards to filter your data and query OpenTelemetry attributes. The attributes you will be able to query will be the ones retrieved by your OpenTelemetry Collector, as you configured it. See What does a log entry in OpenTelemetry format look like? for an overview of the main attributes.

In the Log Explorer page:

Type your query, then press CTRL + Enter to launch the search.
Do not include time parameters in your queries: time periods are defined using the list in the top right corner, or using the timeline.

Examples of simple queries

Select all logs with syslog as a service name.

service_name:syslog

Select all logs for the syslog service, with a severity number strictly above 20, i.e. logs with the FATAL severity. Use the boolean operator AND.

service_name:syslog AND severity_number:[20 TO *]

Select all FATAL logs for the syslog service, coming from hosts in a specified IP range. Use the * wildcard.

service_name:syslog AND severity_number:[20 TO *] AND host.ip:192.168.1.*

Select all FATAL logs for the syslog service, coming from hosts in a specified IP range, except 192.168.1.10. Combine the AND and NOT boolean operators.

service_name:syslog AND severity_number:[20 TO *] AND host.ip:192.168.1.* AND NOT host.ip:"192.168.1.10"

In these logs, find logs whose message body includes the word "failed". The syntax is case-sensitive.

service_name:syslog AND severity_number:[20 TO *] AND host.ip:192.168.1.* AND NOT host.ip:"192.168.1.10" AND body.message:*failed*

Examples of simple queries​

Examples of simple queries