Common Query Language (CQL)

Reference guide for the Common Query Language (CQL) used to search and filter data across logs, metrics, patterns, and events in Edge Delta.

  4 minute read  

Overview

Edge Delta’s Common Query Language (CQL) provides a unified syntax for searching and filtering data. Use CQL in the Logs Explorer, Metrics Explorer, Trace Explorer, Kubernetes Events Explorer, and Monitor Events Explorer to build precise queries.

Full Text Search

By default, searches run against the entirety of a message and are not case sensitive. All queries below return any item containing the term ERROR:

error
Error
erroR

Full text search supports partial matching. A query for fail returns messages containing:

FAILED
fails
failure

Begin with a broad search strategy before refining results using facet filters or field-based searching.

Key Value Pairs

Search for values using a colon between the key and value. Keys can only be a term, whereas values can be a term, quoted term, or grouped expression. For full text search (searching the body and not facets), terms and quoted terms match based on whether they are contained in the content. For key value pair search, terms and quoted terms match only if they exactly match. This behavior can be changed using wildcards.

ed.tag: default
host.name:(default OR admin)
namespace: "(this ) is : \n a \t= namespace"

Search for attributes using the @ character. Attributes can be converted to facets for improved search performance—see Effectively Using Facets for best practices.

@region:"us-west-2"
@instance-id:"i-0fba7946841988dfe"

Comparison Operators

Use comparison operators <, >, <=, or >= on numerical attributes. Search for an attribute using @ with integer or floating point values.

@latency < 300
@latency >= 100.5
@status_code > 399

Exact Match

If your search contains whitespace, wrap the search string in quotation marks. This returns only exact matches. Wrapping a search string in quotes enforces case sensitivity.

"user postgres"

Without quotes, this search would be treated as user AND postgres. To search for content that contains a search operator such as a bracket ) or the word OR, wrap them in quotation marks to be treated as search terms rather than operators.

Special characters include , \t, \n, \r, \u3000, !, (, ), :, ^, @, <, >, =, [, ], \, {, }, ~, \\, /.

Terms cannot start with + or - unless escaped with a backslash.

Inside quotation marks, three characters need escaping: ", *, and \.

You can wrap part of the query in quotes:

exception:"*object reference not set*"

This returns all results with an exception field that includes the phrase “object reference not set” anywhere in its value.

Boolean Operators

AND

Search for items that must contain two or more specific keywords with the Boolean operator AND (case sensitive). The default behavior when you leave a space between keywords is to search for items with both words. Items containing both words in any field and in any order are returned.

failed post

All items containing both words are returned, such as:

failed password for invalid user postgres

error AND env:prod

Returns all results where error is present in the message and env attribute contains prod (exact match as there is no whitespace between env: and prod).

OR

Search for alternative words using the Boolean OR operator (case sensitive) to return results for either keyword, but not necessarily both.

"invalid user" OR "user unknown"

This returns all items containing the phrase invalid user as well as any containing user unknown.

level:(error OR warn) database connection

Returns all results where level field contains error or warn, and the message contains the terms database and connection, regardless of ordering or distance between terms.

NOT

Add an exclusion to your search string using the minus parameter or the NOT term.

"Failed Processing HTTP request" -GET

env:prod NOT level:(debug OR info)

Returns all records where env attribute equals prod, excluding records where level attribute equals debug or info.

-@my_attribute:""

Returns items that contain a specific attribute my_attribute with any value (excluding those without the attribute or where it is empty).

Wildcards

Use an asterisk character as a wildcard within quotation marks to return a wider set of results. A wildcard is only useful when searching within quotation marks to extend an exact match. For example, statusCode:"*04" returns both 504 and 404 results. Without quotation marks, the wildcard is implied—post returns POST as well as postgres results. To search for a literal asterisk, escape it with a backslash: \*.

For key value pair search, wildcards can only be used at the beginning or end of the value to change behavior from exact match to contains search:

ed.tag:"def"

Matches only items with the “ed.tag” value of “def”.

ed.tag:"*def"

Matches any item with “ed.tag” value ending with “def”.

ed.tag:"*def*"

Matches any item with “ed.tag” value containing “def”.

@my_attribute:"*"

Matches any item with the attribute my_attribute, including those without a value.

Operator Precedence

The search engine processes operators in this order:

  1. Exact Match
  2. Exclude
  3. AND
  4. OR

For example:

one two OR three

Returns two types of results:

  1. Items containing both one and two
  2. Items containing three, including those without one

Adjust precedence using brackets:

one (two OR three)

Returns items containing one that also contain either two or three.