Help AppLogs Query Language

AppLogs Query Language

Collect, consolidate, index, and search logs to gain actionable insights using Site24x7 AppLogs. Add a log profile and log type to start managing your logs now. Run easy to understand language search to filter out invalid values and obtain actionable results quickly. Get to know more about query syntax, structure, and types from this doc.

Overview 

Syntax 

Supported operators

Operator Description
logtype Search for logs of a particular framework type.
monitor_name Search for logs from a particular monitor.
monitor_group Search for logs from a particular monitor group.
tags Search for logs from monitors that share a common tag.
and Add a query constraint that includes the previous query.
or Add a query constraint that excludes the previous query.
groupby Find the count of repetitive values in the specified field.
timeslice Display the time for a log based on a specified interval.
is empty Designate that the associated field has a null value.
is not empty Designate that the associated field does not have a null value.
sum Returns the sum of the selected values in the field.
min Returns the minimum value in the field.
max Returns the maximum value in the field.
avg Returns the average of the values in the field.
distinct Returns only the distinct (different) values.
count_distinct Returns the count of the distinct values.
count Returns the number of log messages that match the query.
include Shows only the selected fields from the search output.
exclude Excludes and shows values other than the given fields from the search output.
before Returns the result of the query in the same time an hour, a day, or a week before.
having Apply conditions over the groupby query and get the required output.
sort Returns the sorted values based on some fields.
STARTSWITH Gives the values that start with the given search criteria.
LIKE Allows to use search criteria with asterisk in values
in Similar to using multiple 'or' with '='.
notin Similar to using multiple 'and' with '!='.
histo Gives a histogram for a numerical field.
range Returns a custom range for a histogram.
range interval Returns a constant interval output for a histogram.

Numeric operators

If a field is a number field, you can include operators (>, <, =, !=, <=, or >=) to match it with its value. 

Operator Description
> Is greater than.
< Is less than.
= Is equal to.
>= Is greater than and equal to.
<= Is less than and equal to.

String operators

If a field is a string field or any non-numeric field, it can have have the following operators: =, !=, and CONTAINS. 

Operator Description
= Is equal to.
!= Is not equal to.
Does not contain.
CONTAINS Returns values that contain the preferred value.
DOES NOT CONTAIN Returns values that do not contain the preferred value.

Query template 

The general format for how a query should look like is as follows:

logtype = "examplelogtype" and "exampleNumericField1" [>,<,=,<=,>=] "dummynumber" or "examplestringfield1" [CONTAINS,!=,=] "examplesubstring1" groupby "examplestringfield2" timeslice [h,d,m] 

Limitations to query constraints

  • The timeslice and count constraints cannot have any other constraint come after them.
  • groupby constraint can only be followed by a timeslice constraint.
  • Count and count distinct constraints cannot co-exist.
  • A Count constraint can be used only at the end of a query and the query should not contain groupby, timeslice, and aggregation constraints in it.

Query language

To search using query language, follow this format: 

logtype="(name of log type)" and (other conditions)

In this format:

  • (name of log type) should be the display name of any previously added log type.
  • (other conditions) could be any conditions. You can use the following operators for each condition: and, or, or !.

Sample query:

   logtype="SysLogs" and application CONTAINS "systemd"

In this example:

  • (name of the log type) is SysLogs. 
  • (other conditions) is application CONTAINS "systemd".

Query language

Result: This query fetches the log entries with the log type "SysLogs" and the application field containing "systemd". 

Combining queries

You can also group together multiple conditions like in the examples below.

  • Simple queries with monitor name

logtype="SysLogs" and monitor_name CONTAINS "Zylker-server" and application CONTAINS "kernel"

In this query, both the monitor name and the application field value will be used to search for logs. Values with the monitor name "Zylker-server" and applications containing "kernel" will be displayed as a result. 

logtype="SysLogs" and (application CONTAINS "kernel" or application CONTAINS "systemd") and message CONTAINS "pcieport"

In this query, the conditions inside the bracket are grouped together. Any log entry with application field containing "kernel" or "systemd" will be displayed as a result.

  • Timeslice

Adding timeslice (time period) at the end of a query generates a table of the selected total time period for the query, divided by slices of time specified in query versus count of log entries. Possible timeslice values use the units d (day), h (hour), or m (minute).

logtype="SysLogs" timeslice 2h
In this query, a search of the last 24 hours provides 12 entries (i.e. 24 hours with a time slice of two hours gives 12 total entries).

Timeslice query

  • Or

Returns a value that matches either of the conditions provided.

logtype="IIS Access Logs" and (method="GET" or method="POST" or method="PUT")

This query fetches all GET, POST, and PUT method requests.

Or query

  • Groupby

Groupby (field name) shows the number of entries with the same value for the provided field.

logtype="SysLogs" groupby application

In this query, the number of entries with the same value for the field "application" are displayed.

Groupby Query

  • SUM(), MIN(), MAX(), AVG()

Using this, you can find the minimum, maximum, average, and sum of the number fields in your logs.

For example, you can use this for numerical values in your logs wherein you wish to obtain the aggregate data.

logtype="IIS Access Logs" AVG(timetaken) MIN(timetaken) MAX(timetaken) SUM(timetaken)

This query fetches the aggregate time taken values.

Aggregate query

  • Distinct

By using distinct in the query, you can fetch a table that contains only distinct values.

For example, you can use distinct when there are multiple repeated values but you wish to obtain only distinct values in a table as your search result.

logtype="ServerLogs" distinct(threadname)

As a result distinct thread names and their counts are displayed. 

Distinct query

  • Count distinct

Count distinct in a query fetches only the count of the distinct values.

For example, when you want to know the total number of the specified distinct value in your logs, count distinct can be used. 

logtype="ServerLogs" COUNT_DISTINCT(threadname)

The result displays the count of the distinct values.

Count and Count distinct cannot co-exist.

Count distinct query

  • Count

Using Count at the end of a query will give you the total number of log messages that match the constraints in the query.

logtype="Windows Event Logs" and source CONTAINS "Microsoft-Windows-Security-Auditing" count

The result fetches the number of log messages that match the above conditions.

Count query

  • Combining groupby and aggregation together

The search below generates a groupby table, with additional columns for aggregation values.  

For example, when you want aggregate results for the values grouped in a groupby table, this combination can be helpful.

logtype="IIS Access Logs" AVG(timetaken) MIN(timetaken) MAX(timetaken) groupby stemuri

In this query, MinMaxAvg, and Count of unique stemuri are displayed.

Aggregate grouoby query

  •  Combining timeslice and aggregation together

The search below generates a timeslice table, with additional columns for aggregation values.  

For example, when you want aggregate results on a timely basis, you can use this combination.

logtype="IIS Access Logs" AVG(timetaken) MIN(timetaken) MAX(timetaken) timeslice 1h

In this query, MinMaxAvg, and Count timesliced by one hour is displayed.

Aggregate timeslice query

  • Combining groupby and timeslice together

The search below generates a timeslice table, with an additional column for groupby values. Going from left to right, the columns read: timeslicecount, and value(s).

For example, when you want your results timesliced, and at the same time grouped based on the given constraint, you can use both groupby and timeslice together in a query.

logtype="SysLogs" groupby application timeslice 1d

In this query, the number of log entries that are timesliced by a day and have the same values for the field "application" are displayed.

Groupby timeslice query

  • Multiple groupby

The search below generates a table with multiple groupby options.

For example, when you have multiple options for groupby, you can use groupby separated by commas so that you can consolidate and view multilevel groupbys in a single table.

logtype="ServerLogs" groupby sourcefilename,loglevel,threadname

In this query, multiple groupby conditions are grouped together.

Multiple groupby query

  • Include

Using Include in a search query fetches results with the specified fields diaplayed.

logtype="SysLogs" | include(application,message)

In this query, the search output will be displayed along with application, message.
Include query

  • Exclude

Using Exclude in a search query fetches results with the specified fields omitted.

logtype="SysLogs" | exclude(pid)

In this query, the search output will be displayed without the message pid.
Exclude query

  • Before

Using this operator you can view the result of the query in the same time, an hour, a day or a week ago.

For example, when you want the result for the given query that was available before some time, use before.

logtype="Apache Access Logs" avg(responsesize) | before 7d

This query will fetch the avg(responsesize) that was at the same time a week ago.
Before query

  • Having

Using this operator you can apply some condition over the groupby query and get the required output.

logtype="Apache Access Logs" groupby requesturi having avg(responsesize)>10240

This query fetches the output for requesturi which has avg(responsesize)>10240.
Having query

  • Sort

This sorts the requests based on some fields.

For example, when you want to organize or categorize your results based on some values, you can use sort.

Note: This can be used only with group queries.

logtype="Apache Access Logs" groupby requesturi sort avg(responsesize)

This query fetches the output for requesturi sorted by the avg(responsesize) value.
Sort query

  • STARTSWITH

Gives the values that start with the given search criteria. This fetches results similar to using LIKE with a * at the end. i.e., searching STARTSWITH "Log" will be similar to searching LIKE "Log*"

logtype="Windows Event Logs" and source STARTSWITH "Micro"

This fetches results for all the sources that start with Micro.

Startswith query

  • LIKE

This is case sensitive and allows to use search criteria with asterisk in values.
For example, LIKE "Log*n" will match both Logon and Login.

logtype="Windows Event Logs" and source LIKE "Microsoft*Auditing"

This fetches results for any source with Microsoft Security Auditing, Microsoft Windows Auditing, etc.

LIKE cannot contain * in the beginning. 
For example: source LIKE "*" or SOURCE LIKE "*Windows" will not work.

Like query

  • in

Similar to using multiple 'or' with '='. All values in a set will be compared.
For example, Status in("200","404","500") will be the same as (status="200" or status="404" or status="500").

logtype="Apache Access Logs" and referer in("Refer 2, "Refer 1")

This fetches results similar to (referer="Refer 2" or referer="Refer 1")

In query

  • notin

Similar to using multiple 'and' with '!='. All values in a set will be compared.
For example, status notin("200","404","500") will be the same as (status!="200" and status!="404" and status!="500").

logtype="Apache Access Logs" and referer notin("Refer 2, "Refer 1")

This fetches results similar to (referer!="Refer 2" or referer!="Refer 1")

Notin query

  • histo

Gives histogram for a numerical field. This is similar to groupby, but instead of a common value, a range of values is returned.

logtype="Apache Access Logs" histo responsesize 

This fetches a histogram based on the response size.

Histo query

  • range

This is used to fetch a custom range from a histogram. Range should be used only after histo.

For example, status notin("200","404","500") will be the same as (status!="200" and status!="404" and status!="500").

logtype="Apache Access Logs" histo responsesize range(3800 to 4000,4200 to 4400)

This fetches a histogram for the custom range values mentioned.

Range query

  • range interval

This is used to fetch results with custom time intreval from a histogram. Range intreval should be used only after histo.

For example, when a range interval is specified after a histogram field, it fetches the histogram for the custom time interval.

logtype="Apache Access Logs" histo timetaken 1s

This fetches a histogram for the custom time interval of 1s.

Histo range interval query

Recent searches:

You can reuse the recent search from our Recent Search History instead of typing it every time. You can view them by following the steps below:

  1. Click the Saved and recent search icon icon in the search box.
  2. You can view your recent search queries below the saved searches. You can also save your search queries for future use.

    Saved search

Related articles:

Was this document helpful?
Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.

Help AppLogs Query Language