Query syntax for logs | New Relic Documentation

Use our Logs UI in New Relic One to quickly search through your log data in seconds. Each log lists available attributes in the log_summary column. To drill down into additional details, click any highlighted attribute.

Each log's summary in the Logs UI provides query options to add, exclude, replace, and more.

Ready to get started? If you haven't already, be sure to sign up for a New Relic account. It's free, forever.

Query structure

Using the Logs UI, you can search through your log data by entering either simple keywords, such as new and relic, or phrases such as new relic agent, directly into the search field. You can also combine keywords or phrases with operators to form more complex queries.

Tip

Log queries in New Relic are based on the Lucene query language, and any Lucene function listed in this document is supported. (If a Lucene function is not listed, we do not support it.) For some helpful examples, check out this Lucene tutorial.

General query rules:

Log query rules	Comments
Case sensitive	The query syntax is case sensitive for attributes values. Attribute names are always case sensitive. Exception: Wildcard searches are case insensitive for attribute values.
Special characters	When a term contains special characters, double-quote the term and escape the special characters using a backslash (`\`). This includes special characters such as `+`, `-`, `&`, `\|`, `!`, `(`, `)`, `{`, `}`, `[`, `]`, `^`, `"`, `~`, `*`, `?`, `:`, `/`, or `\`. Example: To query for `"POST /log/v1 HTTP/1.1" 202`, escape the quotes like this: `"\"POST /log/v1 HTTP/1.1\" 202"`
Wildcard searches	You can run wildcard searches using an asterisk (``) to replace zero or more characters. Example: `newrelic`

Log query rules

Comments

Case sensitive

The query syntax is case sensitive for attributes values. Attribute names are always case sensitive.

Exception: Wildcard searches are case insensitive for attribute values.

Special characters

When a term contains special characters, double-quote the term and escape the special characters using a backslash (\). This includes special characters such as +, -, &, |, !, (, ), {, }, [, ], ^, ", ~, *, ?, :, /, or \.

Example: To query for "POST /log/v1 HTTP/1.1" 202, escape the quotes like this:

"\"POST /log/v1 HTTP/1.1\" 202"

Wildcard searches

You can run wildcard searches using an asterisk (*) to replace zero or more characters.

Example: new*relic

Search with text

To return more specific query results, use text searches to join together keywords or phrases.

Text operators

The Logs query syntax accepts the following text operators:

Condition	Text operator example
Matching (keyword)	Search for log results containing keywords entered separately: `"new" "relic"`
Exact matching (phrase)	Search for log results containing the specific phrase entered: `"new relic agent"`
Either / Or	Search for log results containing either or both of the keywords entered: `new OR relic`
And	Search for log results containing both of the keywords entered: `new AND relic`
* Wildcard (zero or more)	Search for log results containing both of the keywords entered, with zero or more characters between them: `new*relic`
Negation (keyword)	Search for log results that do not contain the specific keyword entered: `-new`
Negation (phrase)	Search for log results that do not contain the specific phrase entered. `-"new relic"`

Search with attributes

Use attribute searches to narrow the query results to a specific attribute or field.

General operators

The following operators can be used by all types of attributes:

Condition	General operator example
Equal `:`	Search for log results where the attribute equals the keyword specified. Example: The field `hostname` equals `chi`: `hostname:chi`
Does not equal `- :`	Search for log results where the attribute does not equal the keyword specified. Example: The field `hostname` does not equal `chi`. `-hostname:chi`
Contains `*`	Search for log results where the attribute contains the specified keyword. Example: The field `hostname` contains `chi`. `hostname:chi`
Does not contain `- *`	Search for log results where the attribute does not contain the specified keyword. Example: The field `hostname` does not contain `chi`. `-hostname:chi`
Starts with `*`	Search for log results where the attribute starts with the specified keyword specified. Example: The field `hostname` starts with `chi`. `hostname:chi*`
Ends with `*`	Search for log results where the attribute ends with the specified keyword specified. Example: The field `hostname` ends with `chi`. `hostname:*chi`
Has	Search for log results that have the specified field. Example: Has the field `user_name`. `has:user_name`
Missing	Search for log results that are missing the specified field. Example: Missing the field `user_name`. `missing:user_name`

Numeric operators

The following operators can only be used by numeric attributes:

Condition	Numeric operator example
Greater than	Search for log results attribute matches that are greater than the given parameter. Example: The field `http_response_time_ms` is greater than `500`. `http_response_time_ms:>500`
Greater than or equal to	Search for log results with attribute matches that are greater than or equal to the given parameter. Example: The field `http_response_time_ms` is greater than or equal to `500`. `http_response_time_ms:>=500`
Less than	Search for log results with attribute matches that are less than the given parameter. Example: The field `http_response_time_ms` is less than `500`. `http_response_time_ms:<500`
Less than or equal to	Search for log results with attribute matches that are less than or equal to the given parameter. Example: The field `http_response_time_ms` is less than or equal to `500`. `http_response_time_ms:<=500`