Log Query Syntax - AppSignal Documentation

This page describes our newest query syntax. For the syntax using attributes, see our legacy query syntax

AppSignal’s log filtering system allows you to search and filter through your application logs using an intuitive query syntax. Whether you need to find specific error messages, filter by severity levels, or search through custom attributes, our query language makes it easy to pinpoint exactly what you’re looking for.

Quick Start

Get started with these simple queries:

timeout

Searches for “timeout” in the message field.

severity=error

Finds all error-level logs.

severity=error hostname=production-web-1

Finds errors from a specific server.

Available Fields

You can query the following fields in your logs:

Field	Description	Example
`severity`	Log level (error, warning, info, debug, trace)	`severity=error`
`hostname`	Application host	`hostname=production-1`
`group`	Namespace defined for your application	`group="background jobs"`
`message`	Log message content	`message:timeout`
Custom attributes	Any custom attribute defined in your logs	`duration>10.1`

If no field is provided, the query will search the message field.

Query Operators

Search Operators

Operator	Syntax	Description	Example
`:`	`field:value`	Contains value	`message:error`
`!:`	`field!:value`	Does not contain value	`hostname!:test`
`=`	`field=value`	Exact match	`severity=error`
`!=`	`field!=value`	Not equal to	`source!=mongodb`

Use quotes for values with spaces: group:"background jobs"

Comparison Operators

For numeric values:

Operator	Syntax	Description	Example
`>`	`attribute>value`	Greater than	`duration>100`
`<`	`attribute<value`	Less than	`user_id<1000`
`>=`	`attribute>=value`	Greater than or equal to	`duration>=100`
`<=`	`attribute<=value`	Less than or equal to	`user_id<=1000`

Nested Attributes

We’ll use the following example JSON structure:

{
  "message": "User logged in",
  "group": "admin",
  "hostname": "production-1",
  "user": {
    "id": 123,
    "name": "John Doe",
    "emails": ["john@example.com", "john@work.com"],
    "location.country": "US"
  }
}

Query nested JSON attributes using dot notation:

user.id=123

Access nested object properties.

user.emails.0=john@example.com

Query array elements by index (zero-based).

user.location\.country=US

Escape dots that are part of the field name itself using a backslash.

Combining Queries

AND Logic (Default)

Space-separated queries are combined with AND:

severity=error hostname=production-1

Finds errors from production-1.

OR Logic

Use OR to match any condition:

severity=error OR severity=warning

Finds errors or warnings.

Grouping with Parentheses

Use parentheses for complex queries:

severity=error AND (hostname=web-1 OR hostname=web-2)

Finds errors from either web-1 or web-2.

​Quick Start

​Available Fields

​Query Operators

​Search Operators

​Comparison Operators

​Nested Attributes

​Combining Queries

​AND Logic (Default)

​OR Logic

​Grouping with Parentheses

Quick Start

Available Fields

Query Operators

Search Operators

Comparison Operators

Nested Attributes

Combining Queries

AND Logic (Default)

OR Logic

Grouping with Parentheses