Query Language Reference

The Metricsmine query language is used to select a set of events from your log data. It is used in searches and graphs, alert triggers, report definitions, and elsewhere. Here are some sample queries.

All log messages containing the word "error":


To search for text containing spaces, digits, or punctuation, enclose it in quotes:

"production database"

Access log events showing a request for "/index.html":

"access_log" file=/index.html

Log messages containing the phrase "deadline exceeded", from servers tagged as part of a database tier:

"deadline exceeded" server="*database*"

Query Structure

A query can contain any number of terms. To select events matching all of the terms you can simply enter the terms next to one another:

msg="access_log" file="/index.html"

Text search

To search for a word, simply type that word. This forms a search term, which can be combined using explicit or implicit AND/OR. Here is a query which matches all events containing the word "hello" and at least one of "sir" or "madam":

hello (sir || madam)

To search for a more complex string, enclose it in single or double quotes:

"cache miss" 'critical error'

You can also search using wildcard expressions. Enclose the expression in double quotes:


All of these terms search in the message field of an event. This field contains the complete text of the log message. However, you can also search in other fields.
You may also use parameters to indicate specific fields such as service, instance, type, hash, id, url, or file.
To perform a string match, use field keyword:

instance="control-server-*" url="/profiles*" type="debu" group="control-server"

All text search is case-insensitive.

Field Comparison

The most powerful searches rely on event fields.
You can select events which do or do not have a particular value, using the : and !: operators. : can be used as a synonym for = or ==


For field comparison operators, strings are treated as case sensitive.


Free for 7 days. No credit card required.