The Log Explorer ships in two flavours, and each accepts a different filter syntax. Use the Modern UI / Legacy UI toggle in the top-right of the Log Explorer to switch between them.
| Capability | Legacy UI | Modern UI |
|---|---|---|
| Facet sidebar (Severity, Source, Host, Service) | Yes | Yes |
Single field:value filter |
Yes | Yes |
Negation (NOT / -) |
Yes | Yes |
Boolean operators (AND, OR) |
No | Yes |
| Grouping with parentheses | No | Yes |
Wildcards (*, ?) |
No | Yes |
Comparison operators (>, <, >=, <=) |
No | Yes |
Range queries ([a TO b]) |
No | Yes |
IN (...) / NOT IN (...) lists |
No | Yes |
| Free-text search across the message | Yes | Yes |
@attribute access (parsed JSON / ECS / Kube fields) |
Yes | Yes |
The list of filterable fields is the same in both UIs — only the expression power differs.
Legacy UI
The legacy explorer is a facet-driven interface. You build a query by:
- Clicking facet values in the left sidebar (Severity, Source, Host, Service) — each click adds an equality filter pill at the top.
- Typing
field:valueinto the search bar — adds the same kind of pill. - Prefixing with
-to negate (-hostname:web-canary). - Typing bare text with no
field:— runs acontainssearch against the log message.
Each pill is AND-ed together. The legacy bar does not parse AND, OR, parentheses, wildcards, ranges, or IN (...); those tokens are treated as plain text.
Examples that work in the legacy UI:
severity:error
service:order-api
-hostname:web-canary
@kube_namespace:payments
@message.requestId:abc-123
connection refused
To express anything more complex (multiple values for the same field, wildcards, ranges, OR), switch to the Modern UI.
Modern UI
The modern explorer parses the search bar as a full query expression. It supports every feature listed in the table above.
Quick reference
| Pattern | Meaning |
|---|---|
severity:error |
severity equals error |
severity!:error |
severity is anything but error |
NOT severity:error |
Same as above |
statusCode:>=500 |
statusCode is greater than or equal to 500 |
statusCode:[400 TO 499] |
statusCode is between 400 and 499 (inclusive) |
service IN (api, web, worker) |
service is one of the listed values |
service NOT IN (api, web) |
service is not in the list |
hostname:web-* |
Wildcard — any hostname starting with web- |
service:api-?-prod |
Single-character wildcard |
message:"connection refused" |
Phrase match (quote multi-word values) |
severity:error AND service:api |
Boolean AND |
severity:error OR severity:warning |
Boolean OR |
(service:api OR service:web) AND severity:error |
Grouping with parentheses |
connection refused |
Free-text search across message |
Field names and string values are case sensitive. The keywords AND, OR, NOT, and IN are case insensitive.
Operators
Equality and inequality
severity:error
severity!:error
NOT severity:error
hostname:web-1
field:value matches exact equality. !: and the NOT prefix both negate.
Comparison
Numeric and lexical comparison operators are written next to the colon:
statusCode:>500
statusCode:>=500
statusCode:<500
statusCode:<=500
Ranges
Use square brackets and the TO keyword for inclusive ranges:
statusCode:[400 TO 599]
urlPort:[8000 TO 8999]
IN / NOT IN
Match any value from a list:
service IN (api, web, worker)
severity NOT IN (debug, info)
Wildcards
* matches zero or more characters; ? matches exactly one character:
hostname:web-*
service:api-?-prod
urlPath:/api/v*/users
Free-text search
Bare terms (no field:) are matched against the log message body. Quote multi-word phrases:
"connection refused"
timeout database
You can combine free text with field filters in the same query:
"connection refused" AND service:api
Boolean operators and grouping
Combine clauses with AND, OR, and NOT (or !). Use parentheses to control precedence — without them, AND binds tighter than OR.
severity:error AND service:api
severity:error OR severity:critical
(service:api OR service:web) AND severity:error
NOT (service:internal-cron)
Filterable fields
These attributes are first-class fields on every log event. They are extracted by the agent or the ingest API and indexed for fast filtering. The same fields work in both the Legacy and Modern UIs.
| Field | Type | Example |
|---|---|---|
hostname |
string | hostname:web-1.prod |
source |
string | source:nginx |
service |
string | service:order-api |
severity |
string | severity:error (info, warning, error, critical, debug, notice, alert, emergency) |
message |
string | message:"connection refused" |
tags |
string array | tags:production |
dockerId |
string | dockerId:abc123def456 |
traceId |
string | traceId:dt_8f3e0a1b... (linked APM distributed trace) |
clientIp |
string | clientIp:10.0.0.5 |
urlHost |
string | urlHost:api.example.com |
urlMethod |
string | urlMethod:POST |
urlPath |
string | urlPath:/api/orders |
urlPort |
number | urlPort:8443 |
urlScheme |
string | urlScheme:https |
statusCode |
number | statusCode:>=500 (Modern UI only for >=) |
browser |
string | browser:Chrome |
os |
string | os:Linux |
device |
string | device:Desktop |
pattern |
string | pattern:"User * logged in" |
patternId |
string | patternId:p_abc123 |
sensitiveData |
string array | sensitiveData:email |
sensitiveDataCatagory |
string array | sensitiveDataCatagory:PII |
tags, sensitiveData, and sensitiveDataCatagory are arrays — field:value matches if any element equals value.
Numeric vs string fields
The available comparison operators depend on the field's type:
- String fields support equality, negation,
starts with,ends with,contains, and case-insensitive contains. In the Modern UI these surface as:,!:, and the wildcard syntax (prefix*,*suffix,*substr*). - Numeric fields (
statusCode,urlPort) additionally support:>,:<,:>=,:<=, and:[a TO b]in the Modern UI.
Attribute access (@ prefix)
Logs carry arbitrary structured attributes — parsed JSON keys, ECS-standardised fields, Kubernetes metadata. Use the @ prefix to match against them. This works in both UIs.
@request_id:abc-123
@user.id:42
@kube_pod_name:order-api-7b9c8d-x4lk2
@host.name:web-1.prod
Special prefixes:
@<ecs_or_kube_field>— ECS-standardised fields (@host.name,@trace.id, etc.) and Kubernetes context fields (@kube_namespace,@kube_pod_name, etc.) are routed to the appropriate context column automatically.@message.<key>— match against a key inside a parsed JSON message body (e.g.@message.requestId:abc-123).@sensitive_data:<value>— match a sensitive-data marker on the event.@sensitive_data_catagory:<category>— match by sensitive-data category.
Any other @<key> is matched against the event's parsed attribute map.
Examples
Find every 5xx response from the order-api service in the last hour (Modern UI):
service:order-api AND statusCode:>=500
Find errors that aren't from internal cron jobs (Modern UI):
severity:error AND NOT service:internal-cron
Find Kubernetes pod logs for a specific namespace with timeouts (Modern UI):
@kube_namespace:payments AND "timeout"
Trace correlation — show all logs tied to a distributed trace (both UIs):
traceId:dt_8f3e0a1b9c4d5e6f7a8b9c0d1e2f3a4b
Pattern drill-down — show every event matching a detected pattern (both UIs):
patternId:p_abc123
The same expression you use in the search bar (Modern UI) is what gets sent to POST /v1/accounts/:accountId/logs/search as the filterConditions parameter; the Legacy UI sends its facet/pill selections as a filters array of field:value strings. Both formats accept the same set of fields.
Related views
These Log Explorer views accept the same filter expression in the search bar:
| View | Purpose |
|---|---|
| Live Tail | Stream new events as they arrive. |
| Patterns | Group similar log lines by detected pattern. |
| Analytics | Aggregate counts/bytes over time, grouped by any filterable field. |
| Surrounding events | Fetch the events immediately before or after a selected event. |
+1-415-800-4104