Live tail query language

The Logs Query Language is what powers searching on Live tail. The query language is designed to be straightforward to use and powerful at the same time.

There are two main modes to use the query language in:

Simple queries

Simple queries are what you're used to from search engines - queries like these are all supported.

When you use a simple query, we search all columns that match the query type with a fulltext query, case insensitive. This means that if you search for Hello, we can find logs like

 
{
  message_string: "Hello world!",
}

and

 
{
  article_published_at: "2021-05-26T13:32:01Z",
  article_title: "The band Hello announced a new tour!"
}

Compound queries

Compound queries follow a more rigid structure, and allow for chaining query clauses in a single search. Compound queries are composed of clauses optionally chained with a conjunction operator. You can also use parentheses to give preference to the queries.

An example of a compound query is:

  • vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500

In the example query, there are two query clauses joined by an AND cojunction operator.

A compound query clause consists of a column, an operator, and a value. In the case of the previous query, the first clause has

  • vercel.proxy.status_code_integer as the column,
  • >= as the operator, and
  • 400 as the value

Query clause format

You can use any columns you sent us in a compound query clause.

This is the operator list currently supported:

  • Operators applicable to all column types

    • = equals
    • != not equals
  • String operators

    • : contains
    • !: not contains
  • Integer and Float operators

    • >= greater than or equal
    • <= less than or equal
    • > greater than
    • < less than

The value of a query clause can be either a simple text, or a more complex text surrounded by quotes. Here are some examples:

  • hello
  • "Hello World"
  • 500

Note that query clause values don't support asterisks (*) or question marks (?) for regex matching. These queries are therefore not valid:

  • vercel.proxy.status_code_integer>=4??
  • vercel.proxy.status_code_integer>=4*

In most cases, you can achieve the expected result with query chaining, like

  • vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500

We support two conjunction operators: AND and OR. You can also query for compound queries without using either of those, in which case we assume the AND operator. This means that this query

 
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500 

behaves the same as this one

 
vercel.proxy.status_code_integer>=400 vercel.proxy.status_code_integer<500 

Note that it's currently not possible to chain Simple and Compound queries - if you tried something like vercel.proxy.status_code_integer>=400 AND "Hello World", we fallback to parsing this as a simple query, matching the entire query contents against your columns.

fultext column

Because chaining simple and compound queries is not supported, we have a special column to specify the fulltext search behavior present in simple queries: fulltext. The usage is the same as with other columns - the difference is that when we encounter this column, we search all columns in the same way as the simple queries do.

These queries are therefore equivalent:

  • Hello world
  • fulltext:"Hello world"

You can use =, !=, : and !: operators with the fulltext column.

You can use the special fullext column to make wider searches while maintaining filters imposed by other clauses, for example

 
vercel.proxy.status_code_intetger>=400 AND \
  vercel.proxy.status_code_intetger>=400 AND \
  fulltext:"Record Not Found"