Explore documentation
  1. Welcome to Telemetry👋
  2. Quick start guide
  3. Log libraries
    1. Programming languages
    2. Cloud platforms
    3. Web servers & Load balancers
    4. Operating systems
    5. Databases & Message queues
    6. Containers & Clusters
    7. HTTP REST API
  4. Metrics
    1. Vector (Recommended)
    2. Prometheus (push)
    3. Prometheus (scrape)
    4. Datadog Agent
    5. OpenTelemetry
  5. Log Forwarding
    1. Vector (Recommended)
    2. Fluent Bit
    3. Logstash
    4. Fluentd
    5. Filebeat
    6. Syslog
  6. Dashboards
    1. Getting started
    2. Converting logs to metrics
    3. SQL queries
    4. Simplified PromQL
    5. Alerts
    6. How do we bill for metrics?
    7. Transforming with JavaScript
  7. Using Logs
    1. Querying data in Better Stack
    2. String + JSON format
    3. Formatting logs
    4. Live tail query language
    5. Explore logs with SQL
    6. AWS S3-compatible archive
  8. Telemetry API
    1. Get started with Telemetry API
    2. Sources API
    3. Metrics API
    4. Query API

Live tail query language

The Logs Query Language is what powers searching on Live tail. The query language is designed to be straightforward to use and powerful at the same time.

There are two main modes to use the query language in:

Simple queries

Simple queries are what you're used to from search engines - queries like these are all supported.

When you use a simple query, we search all columns that match the query type with a fulltext query, case insensitive. This means that if you search for Hello, we can find logs like

Matched log example
{
  message_string: "Hello world!",
}

and

Matched log example
{
  article_published_at: "2021-05-26T13:32:01Z",
  article_title: "The band Hello announced a new tour!"
}

Compound queries

Compound queries follow a more rigid structure, and allow for chaining query clauses in a single search. Compound queries are composed of clauses optionally chained with a conjunction operator. You can also use parentheses to give preference to the queries.

Compound query - Match 4xx status codes
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500

In the example query, there are two query clauses joined by an AND cojunction operator.

A compound query clause consists of a column, an operator, and a value. In the case of the previous query, the first clause has

  • vercel.proxy.status_code_integer as the column,
  • >= as the operator, and
  • 400 as the value

Query clause format

You can use any columns you sent us in a compound query clause.

This is the operator list currently supported:

  • Operators applicable to all column types

    • = equals
    • != not equals

  • String operators

    • : contains
    • !: not contains
    • =~ matches regex
    • !~ doesn't match regex

  • Integer and Float operators

    • >= greater than or equal
    • <= less than or equal
    • > greater than
    • < less than

The value of a query clause can be either a simple text, or a more complex text surrounded by quotes. Here are some examples:

  • hello
  • "Hello World"
  • 500

Note that query clause values don't support asterisks (*) or question marks (?) for regex matching. These queries are therefore not valid:

  • vercel.proxy.status_code_integer>=4??
  • vercel.proxy.status_code_integer>=4*

In most cases, you can achieve the expected result with query chaining, like

  • vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500

We support two conjunction operators: AND and OR. You can also query for compound queries without using either of those, in which case we assume the AND operator. This means that this query

Compound query - Match 4xx status codes
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500

behaves the same as this one

Compound query - Implicit AND for 4xx status codes
vercel.proxy.status_code_integer>=400 vercel.proxy.status_code_integer<500

Note that it's currently not possible to chain Simple and Compound queries - if you tried something like vercel.proxy.status_code_integer>=400 AND "Hello World", we fallback to parsing this as a simple query, matching the entire query contents against your columns.

Fulltext column

Because chaining simple and compound queries is not supported, we have a special column to specify the fulltext search behavior present in simple queries: fulltext. The usage is the same as with other columns - the difference is that when we encounter this column, we search all columns in the same way as the simple queries do.

These queries are therefore equivalent:

  • Hello world
  • fulltext:"Hello world"

You can use =, !=, :, !:, =~, and !~ operators with the fulltext column.

You can use the special fullext column to make wider searches while maintaining filters imposed by other clauses, for example

Example of using fulltext in compound query
vercel.proxy.status_code_intetger>=400 AND \
  vercel.proxy.status_code_intetger>=400 AND \
  fulltext:"Record Not Found"

Regular expressions

Query using regular expressions in Live tail to match more complex patterns within log entries.

There are three primary ways to use regex in your queries:

  • Fulltext search: Applies the regex to the entire log message, searching across all columns (e.g., /Started (GET|POST)/).
  • Column search: Applies the regex to specific columns using the =~ and !~ operators (e.g., message=~"Failed (GET|POST)").
  • Case-insensitive matching: Allows regex to ignore case sensitivity by appending an i after the expression, which requires slashes (e.g., message=~/case insensitive/i).

Want to match a range of numbers?
Regex is only supported for string-based columns. For numeric columns like status_code, use comparison operators such as status_code>=400 AND status_code<500.

Fulltext search with regex

In a fulltext search, the regex is applied to the entire log message, searching across all columns.

Filter logs where the log message contains "Started GET" or "Started POST":

Fulltext search: Match GET or POST requests
/Started (GET|POST)/

Find logs containing the word "error" followed by a 4xx or 5xx status code:

Fulltext search: Match error followed by 4xx or 5xx status codes
/error (4\d{2}|5\d{2})/

Match logs that include "OK in [some number] ms," where the number can have one or more digits and a decimal point:

Fulltext search: Match OK response time
/OK in \d+\.\d+ms/

Match logs containing user login messages in the format "User [ID] logged in," where [ID] is a combination of alphanumeric characters and hyphens:

Fulltext search: Match user login by ID
/"User [\w\-]+ logged in"/

Column search with regex

When using regex with specific columns, use the =~ and !~ operators, and wrap multiple-word patterns in quotes.

Filter logs where the message column contains "Failed GET" or "Failed POST":

Column search: Match failed GET or POST requests
message=~"Failed (GET|POST)"

Find logs where the user_agent column includes either "Chrome" or "Firefox":

Column search: Match Chrome or Firefox user agents
user_agent=~"Chrome|Firefox"

Match logs where the url column follows the pattern /api/v[version]/items, useful for tracking API version usage:

Column search: Match API version in URL path
url=~"\/api\/v\d+\/items"

Case-insensitive matching with regex

To perform case-insensitive matching, append i at the end of the regex expression, and use slashes around the pattern.

Perform a case-insensitive search for "Kubernetes" or "Docker" within the platform column:

Case-insensitive match: Match Kubernetes or Docker
platform=~"/Kubernetes|Docker/i"

Find logs where the user_agent column includes either "Chrome" or "Firefox":

Case-insensitive match: Match Chrome or Firefox user agents
user_agent=~"/Chrome|Firefox/i"

Previous article

Formatting logs

Next article

Explore logs with SQL