Operators Reference

This guide provides a comprehensive reference for all operators available in SigNoz search syntax.

Comparison Operators

OperatorDescriptionExample
=Equalsstatus = 'success'
!= or <>Not equalsstatus != 'failed'
<Less thanresponse_time_ms < 1000
<=Less than or equalresponse_time_ms <= 1000
>Greater thanresponse_time_ms > 500
>=Greater than or equalresponse_time_ms >= 500

String Matching Operators

OperatorDescriptionExample
LIKECase-sensitive pattern matchingmessage LIKE '%error%'
NOT LIKENegated LIKEmessage NOT LIKE '%debug%'
ILIKECase-insensitive pattern matchingmessage ILIKE '%ERROR%'
NOT ILIKENegated ILIKEmessage NOT ILIKE '%DEBUG%'

Pattern matching wildcards:

  • % matches any sequence of characters
  • _ matches a single character

Range and Set Operators

OperatorDescriptionExample
BETWEENValue within rangelatency BETWEEN 100 AND 500
NOT BETWEENValue outside rangelatency NOT BETWEEN 100 AND 500
INValue in setregion IN ('us-east', 'us-west')
NOT INValue not in setregion NOT IN ('eu-west', 'eu-east')

Advanced Operators

OperatorDescriptionExample
EXISTSField existscustom.field EXISTS
NOT EXISTSField doesn't existerror.details NOT EXISTS
CONTAINSContains substringmessage CONTAINS 'timeout'
NOT CONTAINSDoesn't containmessage NOT CONTAINS 'success'
REGEXPRegular expression match (RE2 syntax)email REGEXP '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
NOT REGEXPDoesn't match regex (RE2 syntax)path NOT REGEXP '^/api/v1'

Operators and Field Existence

This section describes how operators handle missing fields. Not all records contain every field. Understanding how operators behave with missing fields is crucial for accurate queries.

Positive Operators (Automatically Check Field Exists)

These operators only match logs where the field exists:

OperatorBehaviorExample
=Field must exist AND equal valueservice.name = 'api'
>, >=, <, <=Field must exist AND meet conditionresponse_time_ms > 500
LIKE, ILIKEField must exist AND match patternmessage LIKE '%error%'
BETWEENField must exist AND be in rangelatency BETWEEN 100 AND 500
INField must exist AND be in setregion IN ('us-east', 'us-west')
CONTAINSField must exist AND contain textbody CONTAINS 'timeout'
REGEXPField must exist AND match regexemail REGEXP '.*@company.com'

Example:

response_time_ms > 500

Matches: Logs with response_time_ms field AND value > 500
Skips: Logs without response_time_ms field

Negative Operators (DO NOT Check Field Exists)

These operators match all logs except those with the specified value (including logs missing the field):

OperatorBehaviorExample
!=, <>Match if field doesn't exist OR value differsstatus != 'error'
NOT LIKE, NOT ILIKEMatch if field doesn't exist OR pattern doesn't matchmessage NOT LIKE '%debug%'
NOT BETWEENMatch if field doesn't exist OR value outside rangelatency NOT BETWEEN 100 AND 500
NOT INMatch if field doesn't exist OR value not in setregion NOT IN ('eu-west')
NOT CONTAINSMatch if field doesn't exist OR doesn't contain textbody NOT CONTAINS 'success'
NOT REGEXPMatch if field doesn't exist OR doesn't match regexpath NOT REGEXP '^/api'

Example:

service.name != 'redis'

Matches:

  • Logs where service.name = 'api', 'auth', etc.
  • Logs that don't have a service.name field at all

Skips: Only logs where service.name = 'redis'

Common Scenarios

Scenario 1: Find All Non-Redis Services

Ambiguous:

service.name != 'redis'

This includes logs without any service name!

Explicit intent:

service.name EXISTS AND service.name != 'redis'

This only includes logs that have a service name (and it's not 'redis')

Scenario 2: Find Logs Without Errors

Ambiguous:

severity_text != 'ERROR'

This includes logs that don't even have an severity_text field!

Clear intent - exclude ERROR level only:

severity_text EXISTS AND severity_text != 'ERROR'

Clear intent - find logs explicitly marked as non-error:

severity_text IN ('INFO', 'WARN', 'DEBUG')

Scenario 3: Find Failed Requests

Good:

status_code >= 400

Only matches logs that have a status_code field with error values

Be careful with:

status_code NOT BETWEEN 200 AND 399

This would include logs without any status_code field!

Boolean Operators

  • AND: Both conditions must be true
  • OR: At least one condition must be true
  • NOT: Negates the condition

Operator Precedence (highest to lowest):

  1. Parentheses ()
  2. NOT
  3. AND
  4. OR

Regular Expression (REGEXP)

The REGEXP operator uses RE2 syntax for pattern matching. RE2 is a fast, safe regular expression library that guarantees linear time execution. Common patterns:

  • . - Any single character
  • * - Zero or more of the preceding element
  • + - One or more of the preceding element
  • ? - Zero or one of the preceding element
  • [abc] - Any character in the set
  • [^abc] - Any character not in the set
  • \d - Any digit
  • \w - Any word character (letter, digit, underscore)
  • \s - Any whitespace character

Examples:

# Match email addresses
email REGEXP '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'

# Match IP addresses
ip_address REGEXP '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'

# Match URLs starting with https
url REGEXP '^https://'

# Match phone numbers (various formats)
phone REGEXP '^\+?1?\d{3}[-.]?\d{3}[-.]?\d{4}$'

Note: RE2 does not support lookahead/lookbehind assertions or backreferences.

Last updated: July 31, 2025

Was this page helpful?