Blog How-tos

8 common mistakes to avoid in Loggly search

By Anthony Nguyen 14 Nov 2017

Every month I host a webinar in the Advanced Technical Webinar Series that tackles in-depth topics for advanced Loggly users. After the successful rollout of this series, I was asked to share my insights on the Loggly blog. I wanted to focus on something that I feel is core to being successful with Loggly: Loggly search.

For my first post, I’d like to share eight common mistakes I see our customers make using Loggly search. Whether you’re hitting enter too quickly or just forgetting some commands, avoiding these mistakes will significantly improve the analyses you can do in Loggly.

Mistake 1: Missing closing quote

I often see an open quote around a search term or value but no closing quote, which results in an error with a syntax problem. Remember to put that closing quote at the end of the search term.

Example: json:message:“error –> json:message:”error”

Mistake 2: Forgetting to use a quote around the entire text to search

When you’re looking for values with a colon that include other terms but want to search the entire text as a single term, you need to use a quote around the entire text to search. Otherwise, the search will result in more events than necessary.

Example: context::help –> “context::help”

Mistake 3: Using an operator without a second term

When you search a term with an operator but leave off the second term, the search will hang in limbo. Either add a second term or remove the operator to search the value.

Example: “context” AND –> “context” AND “term” or just “context”

Mistake 4: Not completing a number range in brackets

If you are using a range value, make sure that you complete the range by adding “TO” and then the secondary number. Otherwise remove the square brackets if you are looking for a single value.

Example: apache.status:[400] –> apache.status:[400 TO 499] or just apache.status:400

Mistake 5: Using = as a field value separator instead of :

When you have a key value pair or a variable equals a certain value, remember that in Loggly search, we use a colon rather than an equals sign. Also be sure to use an uppercase “TO”.

Example: json.statusCode=[400 to 499] –> json.statusCode:[400 TO 499]

Mistake 6: Placing a space between field name and value

The is the most common mistake that we see. When typing a key value pair, or the field name and value, sometimes there’s a space between the key and the value, which then identifies the search as two different terms. Remove the space to identify it as a single term.

Example: json.message: error –> json.message:error

Mistake 7: Understanding tokenization

There are times when you want to do a search for a symbol or /index, but due to tokenization in Loggly search, the “/” symbol is removed and filtered out. Using “/” won’t give you what you’re looking for because of the way the last search is tokenizing the data back in.

Mistake 8: Regular expression missing encapsulating pair of slashes

Loggly has the capability to use regular expressions, but you need to use an encapsulating pair of forward slashes, thus indicating that anything within that block is a regular expression.

Example: .*context.* –>

If you want a handy reference on Loggly search to use for yourself or to bring other team members up to speed, download our cheat sheet. And there are more instructions in our documentation on using Loggly search.

For a complete deep dive of Loggly search and how you can use it to hone in on specific logs and filter out the noise, watch the full webinar recording.

Anthony Nguyen

Anthony Nguyen

Share Your Thoughts

Shares