InsightOps allows users different ways of searching their data via queries in the LEQL, Regex, String, KeyValue or Keyword search.
The powerful search language
Log Entry Query Language (
LEQL) allows you to quickly construct queries that can extract the hidden data within your logs. LEQL is comprised of the other query languages for your searching convenience.
With LEQL, you can look for the occurrence of a single term, or try to graph your web sites response time over the last 24 hours, among many other uses.
LEQL follows a SQL-style syntax and constructing a query is simple and intuitive, because it combines several different languages and allows you to use the helpful LEQL Query Bar. LEQL allows you to search in the simplest way possible, or allows you to write more advanced queries to find granular information.
The Query Bar has three modes that you can use when building your queries. The first mode is simple mode that allows you to build queries by selecting the desired functions and keys with your mouse. Each search begins with a
where() statement, in which you can insert your query inside of the where statement.
The second is the advanced mode, which allows you to enter the full query using the keyboard. Experienced users will likely find this mode faster, but the syntax is strict and you must remember the different analytic functions available.
You can press the down key to see and load sample queries when the text box is empty.
You can switch between the simple and the advanced mode by clicking the mode switcher to the left of the query bar. If you find yourself in the advanced mode with an invalid query, the system will prevent you from returning to the simple mode. To return to the simple mode delete the query or fix the syntax errors.
The third mode is Visual Search, which overlays your raw log data with interactive charts that allow you to quickly filter your log data.
InsightOps supports both logical and comparison operators which allows you to create more complex searches. The below guide will introduce both sets of operators available to use while constructing a query
InsightOps supports the following logical operators to create comprehensive search criteria.
Please note that when constructing a Search Query all operators should be typed in UPPERCASE.
expr1 AND expr2
Returns log events that match both criteria
expr1 OR expr2
Returns log events that match one or both criteria
expr1 NOT expr2
Returns log events that match expr1 but not expr2
Returns log events that match the search value – matches numeric and text values
Returns log events that do not match the search value – matches numeric and text values
Returns log events with field values higher than the search value
Returns log events with field values higher than or equal to the search value
Returns log events with field values lower than the search value
Returns log events with field values lower than or equal the search value
NOTE: Numerical values must be formatted as an integer, floating-point value, or in scientific notation to be properly recognized by InsightOps. Units are not calculated as part of the comparison. E.g. searching for a value<100bytes would not return a result with value=200bits