Log Search Query Syntax

When searching for logs, you can create queries using a subset of Lucene query syntax to refine your search.

The query string is parsed into a series of terms and operators:

  • A term can be a single word such as jane or smith.

  • A term can be a phrase surrounded by double quotes ("customer log"), which will match all words in the phrase in the same order.

  • A term without a field name will only match these selected fields fields.

  • Multiple terms can be grouped together with parentheses to form sub-queries.

  • All search fields are case sensitive.

  • Operators (AND, OR, NOT) work on all searchable fields.

Searchable fields

The following fields are searchable and case sensitive:

Field Description
client_id Client ID related to the event.
client_name Client name related to the event.
connection Connection name related to the event.
connection_id Connection ID related to the event.
description Description of the event.
date Date the event occurred in YYYY-MM-DD format.
hostname Hostname used for the authentication flow.
ip IP address from where the request that caused the log entry originated.
log_id Log ID of the event.
organization_id Organization ID related to the event.
user_id User ID related to the event.
user_name User name related to the event.
user_agent User agent related to the event.
strategy Connection strategy related to the event.
strategy_type Connection strategy type related to the event.
type Type of the event.

Fields searchable against bare terms

If a search term is entered without a field name, it will only be searched against the following fields:

  • client_name

  • connection

  • description

  • ip

  • log_id

  • type

  • user_name

Exact matching

To find exact matches, use double quotes: description:"Username invalid".

For example, to find logs with the description Username invalid, use q=description:"Username invalid".

Wildcards

Wildcard searches can be run on terms using the asterisk character (*) to replace zero or more characters: user_name:john*. They can be used for prefix matching, for example user_name:j*. For other uses of wildcards (for example, suffix matching), literals must have 3 characters or more. For example, name:*usa is allowed, but name:*sa is not.

The question mark character (?), is not supported.

For example, to find all logs for users whose usernames start with john, use q=user_name:john*.

Ranges

You can use ranges in your log search queries. For inclusive ranges use square brackets: [min TO max], and for exclusive ranges use curly brackets: {min TO max}.

Curly and square brackets can be combined in the same range expression. You can also use wildcards within ranges.

As an example, to find all logs from December 18, 2018 until the present, use q=date:[2018-12-18 TO *].

If you'd like to search logs from the beginning of your retention period until, but not including, December 19, 2018, use q=date:[* TO 2018-12-19}.

Example queries

Below are some examples to show the kinds of queries you can make with the Management API.

Use Case Query
Search all logs with connections that contains "Pass" connection:*pass*
Search all logs for users with a user name that contains "fred" user_name:*fred*
Search all logs with user id's matching exactly "123" user_id:"123"
Search for all logs with a type starting with "s" type:s*
Search for user names that start with "jane" and end with "smith" user_name:jane*smith
Search for all logs in December 2018 date:[2018-12 TO 2018-01-01}
Search for all logs from December 10, 2018 forward date:[2018-12-10 TO *]
Search for all logs from January 1, 2019 at 1AM, until, but not including January 1, 2019 at 12:23:45 date:[2019-01-01T01:00:00 TO 2019-01-01T12:23:45}

Limitations

  • If you get the error 414 Request-URI Too Large this means that your query string is larger than the supported length. In this case, refine your search.

  • Log fields are not tokenized , so description:rule will not match a description with value Create a rule nor Update a rule. Instead, use description:*rule. See wildcards and exact matching.

  • The .raw field extension is not supported. Fields match the whole value that is provided and are not tokenized.

Pagination

When calling the GET /api/v2/logs or GET /api/v2/users/{user_id}/logs endpoints using the include_totals parameter, the result is a JSON object containing a summary of the results and the requested logs. The JSON object looks something like:

{
  "length": 5,
  "limit": 5,
  "logs": [...],
  "start": 0,
  "total": 5
}

Was this helpful?

/

When searching for logs, the totals field tells you how many logs are returned in the page (similar to what the length field returns).

Learn more