Query Language Reference

The Scalyr query language is used to select a set of events from your log data. It is used in searches and graphs, alert triggers, report definitions, and elsewhere. Here are some sample queries.

All log messages containing the word "error":

error

To search for text containing spaces, digits, or punctuation, enclose it in quotes:

"production-database"

Access log events showing a request for "/index.html", in which at least 5000 bytes were returned:

$logfile contains 'access_log' uriPath = '/index.html' bytes >= 5000

Log messages containing the phrase "deadline exceeded", from servers tagged as part of a database tier:

"deadline exceeded" $serverTier = "database"

Query Structure

A query can contain any number of terms. To select events matching all of the terms (an "AND" query), you can simply enter the terms next to one another:

$logfile contains 'access_log' uriPath = '/index.html'

You can also use explicit AND, OR, and NOT keywords to combine terms:

$logfile contains 'access_log' and not (uriPath = '/home' or path = "/away")

The operators &&, ||, and ! can be used as synonyms for AND, OR, and NOT:

$logfile contains 'access_log' && !(uriPath = '/home' || uriPath = "/away")

Text search

To search for a word, simply type that word. This forms a search term, which can be combined using explicit or implicit AND/OR. Here is a query which matches all events containing the word "hello" and at least one of "sir" or "madam":

hello (sir || madam)

To search for a more complex string, enclose it in single or double quotes:

"cache miss"
'critical error'

You can also search using regular expressions. Enclose the expression in double quotes, preceeded by a $:

$"/images/.*\.png"

All of these terms search in the "message" field of an event. For logs uploaded by the Scalyr Agent, this field contains the complete text of the log message. However, you can also search in other fields. To perform a string match, use the "contains" keyword:

$logfile contains 'access_log' 'log[0-9]+'

For a regular expression match, use "matches":

uriPath matches '\\.png$'

All text search is case-insensitive.

Field Comparison

The most powerful searches rely on event fields. (For a review of fields, refer back to the Getting Started page.) You can select events which do or do not have a particular value, using the == and != operators. = can be used as a synonym for ==:

uriPath = '/index.html'
status == 404
client != "localhost"

You can also use the <, <=, >, and >= operators to compare values. For instance, this query matches all requests with a status in the range 400-499:

status >= 400 status <= 499

For field comparison operators, strings are treated as case sensitive.

When using a field which is associated with a server or log file, place a $ before the field name:

$serverHost = 'frontend-1'

For fields that come directly from the log event, the $ is optional.

If a field name contains spaces or punctuation, use a backslash to escape those characters. For instance, to display events with field service-name equal to "memcache":

service\-name == "memcache"

Finally, you can compare a field with the special value * to match events with any value in that field:

error == *