Log Search Page

Log search in the Edge Delta web application.

  3 minute read  

Recap

The Edge Delta agent sends important logs and triggers to your data destinations and trigger endpoints. In addition, it sends all logs to your low cost archive destination. You can search your log archive using the search feature in Edge Delta.

Searching for Logs

To search for logs you click Logs and select Search.

You enter a search string in the Search box or you can click SQL Search and enter a SQL query. You can filter results using the Filters pane. After running a search, you can further filter your results using the second search box in the results area.

Basic Search Syntax

You can refine your search query using familiar search operators such as quotation marks and OR when using the basic search.

And

You can search for logs that must contain two or more specific keywords. The default behavior of the search engine when you leave a space between keywords is search for only logs with both words. Logs that contain both these words in any field and in any order are returned. Consider the following search string:

failed post

All logs that contain both of these words are returned, such as the following:

failed password for invalid user postgres

Exact Match

To further refine your search, you can wrap your search string in quotation marks. This makes the search treat the string explicitely and it only returns exact matches. Bear in mind wrapping a search string in quotes enforces case sensitivity.

"user postgres"

If you need to search log contents that contain a search operator such as a bracket ) or the word OR, you can wrap them in quotation marks to be treated explicitely as search terms and not search operators. The asterisk cannot be treated explicitely using quotation marks because it is used to extend exact matches. See the Wildcard section.

Exclude

You can add an exclusion to your search string to ignore certain logs using the minus parameter. This search looks for failed HTTP processing requests except those that contain the word GET:

"Failed Processing HTTP request" -GET

OR

You can search for alternative words using the OR operator to return results for either of the search keywords, but not necessarily both of them. If you want to specify alternative phrases you must wrap the phrase in quotation marks.

"invalid user" OR "user unknown"

This example will return all logs that contain the phrase invalid user as well as any logs that contain user unknown.

Wildcards

You can use an asterisk character as a wildcard to return a wider set of results. A wildcard is only useful when you are searching within quotation marks to extend an exact match. For example, "statusCode=*04" will return both 504 and 404 logs. Without quotation marks, the wildcard is implied. For example, post will return POST as well as postgres results.

Processing Precedence with Brackets

By default the search engine will process search strings with more than one operator in the following order:

  1. Exact Match
  2. Exclude
  3. And
  4. OR

For example, given the following search string:

one two OR three

Two types of logs will be returned:

  1. any logs containing both one and two
  2. any logs containing three, including those without any incidence of one.

You can adjust the processing order of precedence using brackets just the same as in mathematical equations. For example, given the following search string:

one (two OR three)

The logs returned will all contain a one. In addition they will all either contain a two or a three.