Search Guide - Query Logs and Traces

Overview

Qorrelate uses a Lucene-style query language for searching logs and traces. This syntax is intuitive and powerful, letting you quickly find the data you need.

Powered by ClickHouse

Under the hood, queries are translated to optimized ClickHouse SQL. This means blazing-fast searches even across billions of log lines.

Simple Text Search

Just type what you're looking for:

error

Find all logs containing "error"

"connection refused"

Find exact phrase (use quotes)

timeout connection

Find logs containing both "timeout" AND "connection"

Field-Specific Search

Search specific fields using field:value syntax:

service.name:api-gateway

Logs from api-gateway service

severity:ERROR

Only ERROR level logs

trace_id:abc123def456

Find all logs for a specific trace

attr.user_id:user-12345

Search custom attributes with attr. prefix

Boolean Operators

Combine conditions with AND, OR:

service.name:checkout AND severity:ERROR

Errors in checkout service

error OR warning

Logs containing either "error" or "warning"

severity:ERROR AND (service.name:api OR service.name:web)

Errors from api or web services (use parentheses for grouping)

Note: AND is implicit between terms. error timeout is the same as error AND timeout

Regex Patterns

Enable regex mode for pattern matching:

error|warning|critical

Match any of these words (with regex enabled)

user-[0-9]+

Match user IDs like user-123, user-4567

^Failed to

Logs starting with "Failed to"

To enable regex in the UI, check the Regex checkbox. In API calls, add use_regex=true.

Numeric Filters

Filter by numeric values:

status_code:500

Exact match

status_code:>=400

All 4xx and 5xx errors

duration_ms:>1000

Slow requests (over 1 second)

Time Ranges

Use the time picker in the UI, or specify time ranges in API calls:

# Last hour
start_time=now-1h&end_time=now

# Specific range
start_time=2024-01-15T10:00:00Z&end_time=2024-01-15T12:00:00Z

# Last 7 days
start_time=now-7d&end_time=now

Available Fields

Log Fields

Field	Aliases	Description
`service.name`	service_name	Service name from resource attributes
`severity`	level, severity_text	Log level (DEBUG, INFO, WARN, ERROR)
`body`	message, msg	Log message body
`trace_id`	trace.id	OpenTelemetry trace ID
`span_id`	span.id	OpenTelemetry span ID
`attr.{key}`	attribute.{key}	Custom log attributes
`resource.{key}`	res.{key}	Resource attributes

Trace Fields

Field	Description
`service`	Service name
`operation`	Span/operation name
`duration`	Span duration
`status`	Span status (OK, ERROR)

Example Queries

Find all errors in production

severity:ERROR AND resource.deployment.environment:production

Database connection issues

"connection" AND (timeout OR refused OR reset)

Logs for a specific user

attr.user_id:"user-abc123"

Slow API requests

service.name:api-gateway AND attr.duration_ms:>500

Payment failures

service.name:payment-service AND (failed OR declined OR error)

All logs from a trace

trace_id:"5b8aa5a2d2c872e8321cf37308d69df2"

API Usage

Search Logs

curl -G "https://qorrelate.io/v1/logs/search" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  --data-urlencode "query=service.name:api-gateway AND severity:ERROR" \
  --data-urlencode "start_time=2024-01-15T00:00:00Z" \
  --data-urlencode "end_time=2024-01-15T23:59:59Z" \
  --data-urlencode "limit=100"

Search with Regex

curl -G "https://qorrelate.io/v1/logs/search" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  --data-urlencode "query=user-[0-9]+" \
  --data-urlencode "use_regex=true"

Search Traces

curl -G "https://qorrelate.io/v1/traces/search" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  --data-urlencode "service=checkout" \
  --data-urlencode "min_duration=100ms" \
  --data-urlencode "limit=50"