SigNoz supports querying logs using the visual Query Builder in both the Logs Explorer and Dashboards, with ClickHouse SQL available as an additional option in Dashboards.
Query Builder
The Query Builder is the primary way to query logs. It is available in both Logs Explorer and Dashboards.
Filtering
Use the Filter field to narrow down logs using attributes, body content, and severity. Supported operators include:
| Intent | Operator | Example |
|---|---|---|
| Exact match | = | service.name = 'frontend' |
| Exclude | != | service.name != 'redis' |
| One of several | IN | severity_text IN ('ERROR', 'WARN') |
| Substring | LIKE | body LIKE '%timeout%' |
| Case-insensitive | ILIKE | body ILIKE '%connection refused%' |
| Text containment | CONTAINS | body CONTAINS 'panic' |
| Field exists | EXISTS | trace_id EXISTS |
Combine filters with AND / OR for complex queries. See the Search Syntax guide and Operators Reference for the full list of operators and syntax details.
You can also use Quick Filters in the Logs Explorer sidebar to narrow results by common attributes without writing filter expressions. See the Default Quick Filters Reference for the full list of available filter attributes.
Aggregation (Time Series & Table views)
Log queries support a full set of aggregation functions in the Time Series and Table views:
- Statistical — Count, Count Distinct, Sum, Avg, Min, Max
- Percentiles — P05, P10, P25, P50, P75, P90, P95, P99
- Rate — Rate, Rate Sum, Rate Avg, Rate Max, Rate Min
Group By (Time Series & Table views)
Segment results by one or more attributes in the Time Series and Table views. For example, grouping by service.name produces a separate series for each service. Useful in aggregate views to compare error counts across services, namespaces, or any other attribute.
Having
Filter results after aggregation. For example, count() > 1000 shows only groups exceeding 1000 log entries. See Result Manipulation for sorting, limiting, and conditional filtering options.
Functions (Time Series & Table views)
Log queries support the Time Shift function, which lets you compare the current result against a previous time period (e.g., compare error counts now vs. one hour ago). See Comparing Service Performance with Time Shift for an example.
Formulas
Combine up to ten queries using formulas. For example, calculate error ratio: (A / B) * 100, where A counts error logs and B counts all logs. See Multi-Query Analysis for formula functions and examples.
For full details on the Query Builder, see the Query Builder documentation.
ClickHouse SQL (Dashboards Only)
When building Dashboard panels, you can write raw ClickHouse SQL queries against the logs tables for advanced analytics beyond what the Query Builder supports.
For details and example queries, see the ClickHouse Logs Query guide.
Next Steps
- Full-Text Search — search log bodies without specifying field names
- Aggregation & Grouping — detailed reference for aggregation functions and group by
- Result Manipulation — sorting, limiting, and Having clause patterns
- Multi-Query Analysis — formulas, error rate calculations, and multi-query comparisons
- Time Aggregation Windows — how step intervals work for time series queries
- Advanced Query Examples — complex query patterns and real-world use cases
- Fields in Logs — understand log attributes, parsing, and sensitive data masking
- Log-based Alerts — get notified when log patterns match your conditions
- Logs Pipelines — transform and enrich logs before storage using processors
- Correlate Traces and Logs — navigate between related logs and traces
- Logs API — query and aggregate logs programmatically
