Lucene queries

Refer to the Lucene official documentation for a full description of the syntax.

Use Lucene queries in the Log explorer page , in alert rules or in dashboards to filter your data. Lucene queries let you query OpenTelemetry attributes. The attributes you will be able to query will be the ones retrieved by your OpenTelemetry Collector, as you configured it. See What does a log entry in OpenTelemetry format look like? for an overview of the main attributes.

In the Log explorer page, do not include time parameters in your queries: time periods are defined using the list in the top right corner.

Examples of simple Lucene queries

Select all logs with a severity number strictly above 20, i.e. logs with the FATAL severity.

severity_number:[20 TO *]

Select all FATAL logs concerning a specific service ("payments-api"). Use the boolean operator AND.

severity_number:[20 TO *] AND service.name:"payments-api"

Select all FATAL logs for the payments-api service, coming from hosts in a specified IP range. Use wildcards.

severity_number:[20 TO *] AND service.name:"payments-api" AND host.ip:192.168.1.*

Select all FATAL logs for the payments-api service, coming from hosts in a specified IP range, except 192.168.1.10. Combine AND and NOT boolean operators.

severity_number:[20 TO *] AND service.name:"payments-api" AND host.ip:192.168.1.* AND NOT host.ip:"192.168.1.10"

In these logs, find logs whose message body includes the word "failed". (Bear in mind that Lucene is case-sensitive).

SeverityNumber:[20 TO *] AND service.name:"payments-api" AND host.ip:192.168.1.* AND NOT host.ip:"192.168.1.10" AND body.message:*failed*

Instead of looking exactly for the word "failed', find logs whose message body includes terms like "failed". Use fuzzy matching.

SeverityNumber:[20 TO *] AND service.name:"payments-api" AND host.ip:192.168.1.* AND NOT host.ip:"192.168.1.10" AND body.message:failed~