Advanced Examples
This guide provides advanced examples of search queries for complex use cases.
Complex Boolean Logic
Use parentheses to control evaluation order:
(service.name = 'auth' OR service.name = 'user') AND status_code >= 400
This finds errors from either the auth or user service.
Nested Conditions
Group related conditions for complex logic:
region = 'us-east' AND (
(status = 'error' AND retry_count > 3) OR
(status = 'timeout' AND response_time_ms > 5000)
)
This finds issues in us-east that are either:
- Errors with more than 3 retries, OR
- Timeouts taking longer than 5 seconds
Multi-Service Error Analysis
Find errors across multiple services with specific conditions:
severity_text = 'ERROR' AND
service.name IN ('payment', 'checkout') AND
http.request.duration > 1000
API Endpoint Analysis
Analyze specific API endpoints:
(http.method = 'POST' OR http.method = 'PUT') AND
http.status_code BETWEEN 200 AND 299 AND
http.url LIKE '%/api/v2/%'
Production Incident Investigation
Complex query for investigating production issues:
deployment.environment = 'production' AND
severity_text IN ('ERROR', 'FATAL') AND
(
(error.type = 'DatabaseError' AND body CONTAINS 'connection') OR
(error.type = 'TimeoutError' AND response_time_ms > 30000) OR
(http.status_code >= 500 AND http.url LIKE '%/critical/%')
)
User Experience Monitoring
Track slow requests affecting specific users:
user.tier = 'premium' AND
service.name = 'api-gateway' AND
(
(http.method = 'GET' AND response_time_ms > 2000) OR
(http.method = 'POST' AND response_time_ms > 5000)
) AND
k8s.namespace.name = 'production'
Security Event Detection
Identify potential security issues:
(
(body CONTAINS 'authentication failed' AND client.ip NOT LIKE '10.%') OR
(http.status_code = 403 AND request_count > 10) OR
(body REGEXP '(sql injection|xss|csrf)' AND severity_text = 'WARNING')
)
Performance Degradation Pattern
Find performance degradation patterns:
service.name = 'database-service' AND
(
(
query.type = 'SELECT' AND
execution_time_ms > 1000 AND
table_name IN ('users', 'orders', 'payments')
) OR
(
query.type IN ('INSERT', 'UPDATE') AND
execution_time_ms > 500 AND
affected_rows > 1000
)
) AND
deployment.environment = 'production'
Kubernetes Pod Issues
Investigate pod-specific issues:
k8s.pod.name LIKE 'payment-service-%' AND
k8s.namespace.name = 'production' AND
(
(severity_text = 'ERROR' AND body CONTAINS 'OOMKilled') OR
(restart_count > 5) OR
(body CONTAINS 'CrashLoopBackOff')
)
Cross-Service Transaction Tracing
Find related logs across services for a transaction:
(
trace_id = '123e4567-e89b-12d3-a456-426614174000' OR
correlation_id = 'ORDER-2024-001'
) AND
service.name IN ('order-service', 'payment-service', 'inventory-service')
Feature Flag Analysis
Analyze logs related to feature flags:
has(body.feature_flags, 'new-checkout-flow') AND
(
(
conversion.success = true AND
response_time_ms < 3000
) OR
(
severity_text = 'ERROR' AND
body CONTAINS 'feature flag evaluation failed'
)
) AND
deployment.environment = 'production'
Best Practices for Complex Queries
- Use parentheses liberally - Make operator precedence explicit
- Start broad, then narrow - Begin with service/environment filters
- Test incrementally - Build complex queries step by step
- Filter on indexed fields first - Use fields like service.name for better performance
- Use time ranges in the UI - Set appropriate time windows using the time picker
Last updated: July 31, 2025
Edit on GitHubWas this page helpful?
On this page
