Skip to Content
Query logs in the data lakeSearch logs using a New Relic Lucene-like syntax

Search logs using a New Relic Lucene-like syntax

New Relic’s log query language is based on Lucene  syntax, designed to enable fast, flexible search of log data. Grepr supports a log query syntax similar to a subset of the New Relic Lucene query language. This guide outlines the key differences between Grepr’s implementation and the complete New Relic Lucene syntax.

For the full New Relic query language, refer to the New Relic documentation .

Supported behavior

Grepr supports a simplified form of text and field-based search:

  • Text search (default field): Simple unqualified text searches (e.g., error) are matched only against the message field.

  • Field-based search: Grepr allows searching specific fields using field:value syntax. By default, these will search in attributes only, unless the field name starts with tags..

  • Logical operators: Boolean operators AND and OR can be used to combine multiple conditions with - to negate conditions. For example,

    error AND warning           # Both "error" and "warning" must be present in message
error OR warning            # Either "error" or "warning" must be present in message
status:500 AND error        # Status code is 500 and message contains "error"
-req.status:200 AND error   # req.status is not 200 and message contains "error"

  • Existence operators: The has: and missing: operators check for the presence or absence of field keys:

    has:field          # field exists
missing:field      # field does not exist

  • Negation operators: The - prefix can be used to negate queries:

    -field:value        # Field does not equal value
-error              # Message does not contain "error"

  • Numeric comparisons: Comparison operators such as >, <, >=, <= are supported on numerical fields:

    field:>30                     # Field value greater than 30
field:<10                     # Field value less than 10
field:>=30.0                  # Field value greater than or equal to 30.0
field:<=-10                   # Field value less than or equal to -10

    Refer to the The Grepr processing and data models for more about how attributes and tags are handled.

  • Range searches: Use syntax like field:[value1 TO value2] to search for values in ranges:

    field:[10 TO 20]              # Field value between 10 and 20 inclusive
field:{10 TO 20}              # Field value between 10 and 20 exclusive
field:[* TO 100]              # Field value less than or equal to 100

Limitations

Grepr does not support the following features of the New Relic Lucene language:

  • Proximity and fuzzy searches: Queries like "error crash"~3 or hello~2 are not supported.
Last updated on
Search logs using an SPL-like syntaxOverview