Use our logs UI at one.newrelic.com to quickly search through your log data in seconds. Each log lists available attributes in the log_summary
column. To drill down into additional details, click any highlighted attribute.
Query structure
Using logs, you can search through your log data by entering either simple keywords, such as new
and relic
, or phrases such as "new relic agent"
, directly into the search field.
Plain terms are a 'contains' search for the message attribute and the filePath
of your logs. For instance, "new relic agent"
is equivalent to the more verbose message: "*New Relic Agent*"
.
To search other attributes, prefix the attribute to your terms, such as source: "*new relic agent*"
. See General operators below for more details.
You can also combine keywords or phrases with operators to form more complex queries.
Dica
Log queries in New Relic are based on the Lucene query language, and any Lucene function listed in this document is supported. (If a Lucene function isn't listed, we don't support it.) For some helpful examples, check out this Lucene tutorial.
General query rules:
Log query rules | Comments |
---|---|
Case sensitive | The query syntax is case sensitive for attributes values. Attribute names are always case sensitive. Exception: Wildcard searches are case insensitive for attribute values. |
Whitespace characters | When a term contains whitespace characters such as the space or tab character, the term will need to be double-quoted. Example: To query for a
Note: to query for a |
Special characters | When a term contains special characters, double-quote the term and escape the special characters using a backslash ( Example: To query for a
|
Wildcard searches | You can run wildcard searches using an asterisk ( Example: to query for a
If your term contains spaces or other metacharacters (see above), you'll need to quote the wildcarded term. For example, to query for a
|
Search with text
To return more specific query results, use text searches to join together keywords or phrases.
Text operators
The Logs query syntax accepts the following text operators:
Condition | Text operator example |
---|---|
Matching (keyword) | Search for log results containing keywords entered separately:
|
Exact matching (phrase) | Search for log results containing the specific phrase entered:
|
Either / Or | Search for log results containing either or both of the keywords entered:
|
And | Search for log results containing both of the keywords entered:
|
* Wildcard (zero or more) | Search for log results containing both of the keywords entered, with zero or more characters between them:
|
Negation (keyword) | Search for log results that do not contain the specific keyword entered:
|
Negation (phrase) | Search for log results that do not contain the specific phrase entered.
|
Search with attributes
Use attribute searches to narrow the query results to a specific attribute or field.
General operators
The following operators can be used by all types of attributes:
Condition | General operator example |
---|---|
Equal | Search for log results where the attribute equals the keyword specified. Example: The field
|
Does not equal | Search for log results where the attribute does not equal the keyword specified. Example: The field
|
Contains | Search for log results where the attribute contains the specified keyword. Example: The field
|
Does not contain | Search for log results where the attribute does not contain the specified keyword. Example: The field
|
Starts with | Search for log results where the attribute starts with the specified keyword specified. Example: The field
|
Ends with | Search for log results where the attribute ends with the specified keyword specified. Example: The field
|
Has | Search for log results that have the specified field. Example: Has the field
|
Missing | Search for log results that are missing the specified field. Example: Missing the field
|
Numeric operators
The following operators can only be used by numeric attributes:
Condition | Numeric operator example |
---|---|
Greater than | Search for log results attribute matches that are greater than the given parameter. Example: The field
|
Greater than or equal to | Search for log results with attribute matches that are greater than or equal to the given parameter. Example: The field
|
Less than | Search for log results with attribute matches that are less than the given parameter. Example: The field
|
Less than or equal to | Search for log results with attribute matches that are less than or equal to the given parameter. Example: The field
|
Logs query examples
Example: Query Apache logs
About Apache logs
If you have Apache logs, we recommend using our built in parsing rules for Apache logs to parse the logs into attributes. To use the built-in parsing, simply add the logtype: apache
attribute to your logging.yml
configuration on the hosts for your Apache logs.
Here are some examples of querying Apache logs:
Example: Query Amazon Cloudfront CDN logs
About CDN logs
If you have Amazon CloudFront logs, learn how to Forward Amazon CloudFront access logs to New Relic. We offer built-in parsing rules that can be used to automatically parse your Amazon Cloudfront standard or real-time access logs. We also have an Amazon Cloudfront access logs quickstart dashboard you can install that gives you immediate insight into your Amazon CloudFront CDN access logs!
Here are some examples of querying Amazon Cloudfront CDN access logs:
See NRQL query and add to dashboard
To see the NRQL version of a logs chart, click the ellipses menu on that chart and click View query. This opens up a view of the NRQL that generated that chart. You can modify the query there, or add it to a dashboard.
To switch from a Lucene syntax query to a NRQL query, to the right of the query builder click the NRQL button.
Let's say you want to search Apache logs for 503 response codes, covert that to a NRQL query using FACET
, view it as pie chart, and add that chart to a dashboard. Here's how:
- From the All logs UI page, search for all Apache logs with 503 response codes, using the query
logtype:apache response:503
- From the log chart ellipses menu, click View query.
- In the query, replace
SINCE <timestamp> UNTIL <timestamp> TIMESERIES MAX
withFACET verb
and click Run. You'll see a table with response codes grouped by method (verb). - Change the chart type to Pie.
- Click Add to dashboard and complete the steps.