The simplest LogsQL query is just a [word](#word), which must be found in the [log message](
The `AND` operator means that the [log entry]( must match both filters in order to be selected.
Typical LogsQL query constists of multiple [filters](#filters) joined with `AND` operator. It may be tiresome typing and then reading all these `AND` words.
So LogsQL allows omitting `AND` words. For example, the following query is equivalent to the query above:
Suppose the query above selects too many rows because some buggy app pushes invalid error logs to VictoriaLogs. Suppose the app adds `buggy_app` [word](#word) to every log line.
Then the following query removes all the logs from the buggy app, allowing us paying attention to the real errors:
This query uses `NOT` [operator](#logical-filter) for removing log lines from the buggy app. The `NOT` operator is used frequently, so it can be substituted with `!` char.
So the following query is equivalent to the previous one:
Queries above assume that the `error` [word](#word) is stored in the [log message](
This word can be stored in other [field]( such as `log.level`.
What if the application identifier - such as `buggy_app` and `foobar` - is stored in the `app` field? Correct - just add `app:` prefix in front of `buggy_app` and `foobar`:
In this case it is recommended associating the `app` field with [log stream fields](
during [data ingestion]( This usually improves both compression rate
then its' name followed by the colon must be put in front of the filter. For example, if `error` [word filter](#word-filter) must be applied
to the `log.level` field, then use `log.level:error` query.
Field names and filter args can be put into quotes if they contain special chars, which may clash with LogsQL syntax. LogsQL supports quoting via double quotes `"`,
single quotes `'` and backticks:
"some 'field':123":i('some("value")') AND `other"value'`
If doubt, it is recommended quoting field names and filter args.
- [Time filter](#time-filter) - matches logs with [`_time` field]( in the given time range
- [Stream filter](#stream-filter) - matches logs, which belong to the given [streams](
- [Empty value filter](#empty-value-filter) - matches logs without the given [log field](
- [Any value filter](#any-value-filter) - matches logs with the given non-empty [log field](
- [Range filter](#range-filter) - matches logs with numeric [field values]( in the given range
- [IPv4 range filter](#ipv4-range-filter) - matches logs with ip address [field values]( in the given range
- [String range filter](#string-range-filter) - matches logs with [field values]( in the given string range
- [Length range filter](#length-range-filter) - matches logs with [field values]( of the given length range
VictoriaLogs scans all the logs per each query if it doesn't contain the filter on [`_time` field](
-`_time:YYYY-MM-DD` - matches all the logs for the particular day by UTC. For example, `_time:2023-04-25` matches logs on April 25, 2023 by UTC.
-`_time:YYYY-MM` - matches all the logs for the particular month by UTC. For example, `_time:2023-02` matches logs on February, 2023 by UTC.
-`_time:YYYY` - matches all the logs for the particular year by UTC. For example, `_time:2023` matches logs on 2023 by UTC.
-`_time:YYYY-MM-DDTHH` - matches all the logs for the particular hour by UTC. For example, `_time:2023-04-25T22` matches logs on April 25, 2023 at 22 hour by UTC.
-`_time:YYYY-MM-DDTHH:MM` - matches all the logs for the particular minute by UTC. For example, `_time:2023-04-25T22:45` matches logs on April 25, 2023 at 22:45 by UTC.
-`_time:YYYY-MM-DDTHH:MM:SS` - matches all the logs for the particular second by UTC. For example, `_time:2023-04-25T22:45:59` matches logs on April 25, 2023 at 22:45:59 by UTC.
- It is recommended specifying the smallest possible time range during the search, since it reduces the amounts of log entries, which need to be scanned during the query.
VictoriaLogs provides an optimized way to select log entries, which belong to particular [log streams](
-`multiple errors occurred`, since the `errors` word doesn't match `error` word. Use `error*` for this case. See [these docs](#prefix-filter) for details.
if it must be searched in the given field. For example, the following query returns log entries containing the `error` [word](#word) in the `log.level` field:
Both the field name and the word in the query can contain arbitrary [utf-8]( chars. For example:
Both the field name and the word in the query can be put inside quotes if they contain special chars, which may clash with the query syntax.
For example, the following query searches for the ip `` in the field `ip:remote`:
See also:
- [Phrase filter](#phrase-filter)
- [Exact filter](#exact-filter)
- [Prefix filter](#prefix-filter)
- [Logical filter](#logical-filter)
### Phrase filter
Is you need to search for log messages with the specific phrase inside them, then just wrap the phrase in quotes.
The phrase can contain any chars, including whitespace, punctuation, parens, etc. They are taken into account during the search.
-`ssh login fail`, since the message misses `:` char just after the `ssh`.
Use `seq("ssh", "login", "fail")` query if log messages with the sequence of these words must be found. See [these docs](#sequence-filter) for details.
-`login fail: ssh error`, since the message doesn't contain the full phrase requested in the query. If you need matching a message
with all the [words](#word) listed in the query, then use `ssh AND login AND fail` query. See [these docs](#logical-filter) for details.
-`ssh: login failed`, since the message ends with `failed` [word](#word) instead of `fail` word. Use `"ssh: login fail"*` query for this case.
if it must be searched in the given field. For example, the following query returns log entries containing the `cannot open file` phrase in the `event.original` field:
event.original:"cannot open file"
Both the field name and the phrase can contain arbitrary [utf-8]( chars. For example:
сообщение:"невозможно открыть файл"
The field name can be put inside quotes if it contains special chars, which may clash with the query syntax.
For example, the following query searches for the `cannot open file` phrase in the field `some:message`:
"some:message":"cannot open file"
See also:
- [Exact filter](#exact-filter)
- [Word filter](#word-filter)
- [Prefix filter](#prefix-filter)
- [Logical filter](#logical-filter)
### Prefix filter
If you need to search for log messages with [words](#word) / phrases containing some prefix, then just add `*` char to the end of the [word](#word) / phrase in the query.
For example, the following query returns [log messages](, which contain [words](#word) with `err` prefix:
This query doesn't match the following log messages:
-`Error: foobar`, since the `Error` [word](#word) starts with capital letter. Use `i(err*)` for this case. See [these docs](#case-insensitive-filter) for details.
-`fooerror`, since the `fooerror` [word](#word) doesn't start with `err`. Use `re("err")` for this case. See [these docs](#regexp-filter) for details.
Prefix filter can be applied to [phrases](#phrase-filter). For example, the following query matches
in order to apply it to the given field. For example, the following query matches `log.level` field containing any word with the `err` prefix:
If the field name contains special chars, which may clash with the query syntax, then it may be put into quotes in the query.
For example, the following query matches `log:level` field containing any word with the `err` prefix.
Performance tips:
- Prefer using [word filters](#word-filter) and [phrase filters](#phrase-filter) combined via [logical filter](#logical-filter)
instead of prefix filter.
- Prefer moving [word filters](#word-filter) and [phrase filters](#phrase-filter) in front of prefix filter when using [logical filter](#logical-filter).
- See [other performance tips](#performance-tips).
Sometimes it is needed to find log entries containing any non-empty value for the given [log field](
The [word filter](#word-filter) and [phrase filter](#phrase-filter) return [log messages](,
which contain the given word or phrase inside them. The message may contain additional text other than the requested word or phrase. If you need searching for log messages
For example, the following query returns log messages wih the exact value `fatal error: cannot find /foo/bar`:
exact("fatal error: cannot find /foo/bar")
The query doesn't match the following log messages:
-`fatal error: cannot find /foo/bar/baz` or `some-text fatal error: cannot find /foo/bar`, since they contain an additional text
other than the specified in the `exact()` filter. Use `"fatal error: cannot find /foo/bar"` query in this case. See [these docs](#phrase-filter) for details.
-`FATAL ERROR: cannot find /foo/bar`, since the `exact()` filter is case-sensitive. Use `i("fatal error: cannot find /foo/bar")` in this case.
See [these docs](#case-insensitive-filter) for details.
By default the `exact()` filter is applied to the [`_msg` field](
Specify the [field name]( in front of the `exact()` filter and put a colon after it
By default the `exact()` filter is applied to the [`_msg` field](
Specify the [field name]( in front of the `exact()` filter and put a colon after it
if it must be searched in the given field. For example, the following query returns log entries with `log.level` field, which starts with `err` prefix:
Sometimes it is needed to locate log messages with a field containing one of the given values. This can be done with multiple [exact filters](#exact-filter)
The query doesn't match the following log messages:
-`FooError`, since the `FooError` [word](#word) has superflouos prefix `Foo`. Use `re("(?i)error")` for this case. See [these docs](#regexp-filter) for details.
-`too many Errors`, since the `Errors` [word](#word) has superflouos suffix `s`. Use `i(error*)` for this case.
with [words](#word) or phrases in a particular order. For example, if log messages with `error` word followed by `open file` phrase
must be found, then the following LogsQL query can be used:
seq("error", "open file")
This query matches `some error: cannot open file /foo/bar` message, since the `open file` phrase goes after the `error` [word](#word).
The query doesn't match the `cannot open file: error` message, since the `open file` phrase is located in front of the `error` [word](#word).
If you need matching log messages with both `error` word and `open file` phrase, then use `error AND "open file"` query. See [these docs](#logical-filter)
The query matches the following [log messages](, which contain either `err` or `warn` substrings:
- Prefer using `exact("some prefix"*)` instead of `re("^some prefix")`, since the [exact()](#exact-prefix-filter) works much faster than the `re()` filter.
instead of extracting numeric field from text field via [transformations](#transformations) at query time.
- See [other performance tips](#performance-tips).
See also:
- [IPv4 range filter](#ipv4-range-filter)
- [String range filter](#string-range-filter)
- [Length range filter](#length-range-filter)
- [Logical filter](#logical-filter)
### IPv4 range filter
If you need to filter log message by some field containing only [IPv4]( addresses such as ``,
then the `ipv4_range()` filter can be used. For example, the following query matches log entries with `user.ip` address in the range `[ -]`:
The `ipv4_range()` accepts also IPv4 subnetworks in [CIDR notation](
For example, the following query is equivalent to the query above:
If you need matching a single IPv4 address, then just put it inside `ipv4_range()`. For example, the following query matches `` IP
since the `` ip is surrounded by other text. Extract the IP from the message with `parse(_msg, "request from <ip>: done")` [transformation](#transformations)
and then apply the `ipv4_range()` [post-filter](#post-filters) to the extracted `ip` field.
- If you need searching for [log messages]( containing the given `X.Y.Z.Q` IPv4 address,
at least a single IPv4 address out of the given list, then `"ip1" OR "ip2" ... OR "ipN"` query can be used. See [these docs](#logical-filter) for details.
- If you need finding log entries with `ip` field in multiple ranges, then use `ip:(ipv4_range(range1) OR ipv4_range(range2) ... OR ipv4_range(rangeN))` query.
It is possible to use `inf` as the upper bound. For example, the following query matches [log messages](
with the length bigger or equal to 5 chars:
len_range(5, inf)
The range boundaries can be expressed in the following forms:
- Hexadecimal form. For example, `len_range(0xff, 0xABCD)`.
- Binary form. Form example, `len_range(0b100110, 0b11111101)`
- Integer form with `_` delimiters for better readability. For example, `len_range(1_000, 2_345_678)`.
the filter to the needed field. For example, the following query matches log entries with the `foo` field length in the range `[10, 20]` chars:
foo:len_range(10, 20)
See also:
- [Range filter](#range-filter)
- [Logical filter](#logical-filter)
### Logical filter
Simpler LogsQL [filters](#filters) can be combined into more complex filters with the following logical operations:
-`q1 AND q2` - matches common log entries returned by both `q1` and `q2`. Arbitrary number of [filters](#filters) can be combined with `AND` operation.
which do not contain `info` [word](#word). The `NOT` operation is frequently used in LogsQL queries, so it is allowed substituting `NOT` with `!` in queries.
For example, `!info` is equivalent to `NOT info`.
The `NOT` operation has the highest priority, `AND` has the middle priority and `OR` has the lowest priority.
The priority order can be changed with parentheses. For example, `NOT info OR debug` is interpreted as `(NOT info) OR debug`,
By default logical filters apply to the [`_msg` field](
unless the inner filters explicitly specify the needed [log field]( via `field_name:filter` syntax.
For example, `log.level:error OR log.level:warning OR log.level:info` can be substituted with the shorter query: `log.level:(error OR warning OR info)`.
Performance tips:
- VictoriaLogs executes logical operations from the left to the right, so it is recommended moving the most specific
and the fastest filters (such as [word filter](#word-filter) and [phrase filter](#phrase-filter)) to the left,
while moving less specific and the slowest filters (such as [regexp filter](#regexp-filter) and [case-insensitive filter](#case-insensitive-filter))
- Extracting the specified fields from text [log fields]( according to the provided pattern.
- Extracting the specified fields from JSON strings stored inside [log fields](
- Creating a new field according to math calculations over existing [log fields](
- Copying of the existing [log fields](
-`error | stats count() as errors_total` returns the number of [log messages]( with the `error` [word](#word).
-`error | stats by (_stream) count() as errors_by_stream` returns the number of [log messages](
with the `error` [word](#word) grouped by [`_stream`](
-`error | stats by (datacenter, namespace) count(trace_id, user_id) as errors_with_trace_and_user` returns the number
of [log messages]( containing the `error` [word](#word),
which contain non-empty `trace_id` or `user_id` [fields](, grouped by `datacenter` and `namespace` fields.
- The number of non-empty unique values for the given set of [fields]( Examples:
-`error | stats uniq(client_ip) as unique_user_ips` returns the number of unique values for `client_ip` [field](
for [field values]( across [log messages](
with the `error` [word](#word), grouped by `app` [field](
-`error | fields path, host | stats uniq(*) unique_path_hosts` - returns the number of unique `(path, host)` pairs
for [field values]( across [log messages](
- Sum for the given [log field]( values. Non-numeric values are ignored. Examples:
-`error | stats sum(duration) duration_total` - returns the sum of `duration` [field]( values
across [log messages]( with the `error` [word](#word).
-`GET | stats by (path) sum(response_size) response_size_sum` - returns the sum of `response_size` [field]( values
- The maximum value across the given numeric [log fields]( Non-numeric values are ignored. Examples:
-`error | stats max(duration) duration_max` - returns the maximum value for the `duration` [field](
across [log messages]( with the `error` [word](#word).
-`GET | stats by (path) max(response_size) max_response_size` - returns the maximum value for the `response_size` [field](
across [log messages]( with the `GET` [word](#word), grouped
by `path` [field]( value.
- The minimum value across the given numeric [log fields]( Non-numeric values are ignored. Examples:
-`error | stats min(duration) duration_min` - returns the minimum value for the `duration` [field](
across [log messages]( with the `error` [word](#word).
-`GET | stats by (path) min(response_size) min_response_size` - returns the minimum value for the `response_size` [field](
Stats calculations can be combined. For example, the following query calculates the number of log messages with the `error` [word](#word),
the number of unique values for `ip` [field]( and the sum of `duration`
[field](, grouped by `namespace` [field](
LogsQL will support calculating the following additional stats based on the [log fields](
For example, the following query returns only [`_time`](,
[`_stream`](, `host` and [`_msg`]( fields: