Explore documentation
Live tail query language
The Logs Query Language is what powers searching on Live tail. The query language is designed to be straightforward to use and powerful at the same time.
There are two main modes to use the query language in:
Simple queries
Simple queries are what you're used to from search engines - queries like these are all supported.
- "hello world"
- Started
- 404
- "https://example.com/abcd"
When you use a simple query, we search all columns that match the query type with a fulltext query, case insensitive. This means that if you search for Hello
, we can find logs like
{
message_string: "Hello world!",
}
and
{
article_published_at: "2021-05-26T13:32:01Z",
article_title: "The band Hello announced a new tour!"
}
Compound queries
Compound queries follow a more rigid structure, and allow for chaining query clauses in a single search. Compound queries are composed of clauses optionally chained with a conjunction operator. You can also use parentheses to give preference to the queries.
An example of a compound query is:
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500
In the example query, there are two query clauses joined by an AND cojunction operator.
A compound query clause consists of a column, an operator, and a value. In the case of the previous query, the first clause has
vercel.proxy.status_code_integer
as the column,>=
as the operator, and400
as the value
Query clause format
You can use any columns you sent us in a compound query clause.
This is the operator list currently supported:
Operators applicable to all column types
=
equals!=
not equals
String operators
-
:
contains -
!:
not contains
-
Integer and Float operators
>=
greater than or equal<=
less than or equal>
greater than<
less than
The value of a query clause can be either a simple text, or a more complex text surrounded by quotes. Here are some examples:
hello
"Hello World"
500
Note that query clause values don't support asterisks (*
) or question marks (?
) for regex matching. These queries are therefore not valid:
vercel.proxy.status_code_integer>=4??
vercel.proxy.status_code_integer>=4*
In most cases, you can achieve the expected result with query chaining, like
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500
We support two conjunction operators: AND
and OR
. You can also query for compound queries without using either of those, in which case we assume the AND
operator. This means that this query
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500
behaves the same as this one
vercel.proxy.status_code_integer>=400 vercel.proxy.status_code_integer<500
Note that it's currently not possible to chain Simple and Compound queries - if you tried something like vercel.proxy.status_code_integer>=400 AND "Hello World"
, we fallback to parsing this as a simple query, matching the entire query contents against your columns.
fultext
column
Because chaining simple and compound queries is not supported, we have a special column to specify the fulltext search behavior present in simple queries: fulltext. The usage is the same as with other columns - the difference is that when we encounter this column, we search all columns in the same way as the simple queries do.
These queries are therefore equivalent:
Hello world
fulltext:"Hello world"
You can use =
, !=
, :
and !:
operators with the fulltext
column.
You can use the special fullext
column to make wider searches while maintaining filters imposed by other clauses, for example
vercel.proxy.status_code_intetger>=400 AND \
vercel.proxy.status_code_intetger>=400 AND \
fulltext:"Record Not Found"
Regular expressions
With operators :
and !:
, you can use regular expressions in your Live tail search.
The regular expression should be delimited with /
from both sides. By default it's case-sensitive, but you can switch it into case-insensitive matching by appending i
after the expression.
message:/Started (GET|POST)/
platform:/Kubernetes|HTTP/i
/OK in \d+\.\d+ms/