Search Log Fields

Mezmo provides several capabilities for searching fields in your logs. In this topic you'll find information on nested field searches, searching by field comparison, searching for the existence of fields, and general and exact term field searches.

  1. Log in to app.mezmo.com.
  2. In the Search box at the bottom of the log viewer, enter your search terms.
  3. Select the Timeframe that you want to search.
  4. Select if you want to search Live log data, or historical.
  5. In the Viewer Tools menu, enter any text you want highlighted in the search results.
Search bar in the Mezmo Web App

Search bar in the Mezmo Web App

To search for a field with a particular value, use a colon to separate the field and value.

This example will return all parsed log lines with the field response with a value of 404.

Bash
Copy

To search for a nested field, use periods to separate each nested field.

This example will return all log lines containing the key:value structure { "user": { "id": 12345 }}.

Bash
Copy

Filters

Using the same field search syntax, you can also set filters directly in the search bar.

This example will return all log lines that originate from the source myawesomehost and not from the app mycoolapp.

Bash
Copy

Metadata

With the REST API or Node.js library, you can upload a metadata object as part of a log line's context. To search for field values contained in the metadata object, use the meta prefix.

This example will return all log lines containing the context object with the key:value structure { "status_code": 404}.

Bash
Copy

Field Comparison Operators

For parsed fields with a numeric value, we support the following operators:

Bash
Copy

To search for parsed fields matching comparison operators, use a colon followed by the comparison operator.

Bash
Copy

To form a compound field search query using comparison operators, use a colon followed by parentheses.

This example will return all log lines with the field response with values greater than or equal to 400, less than 500, and not 404.

Bash
Copy

To search for a case-sensitive parsed field, use a colon followed by an equal sign =.

This example will return all log lines with the field name with the case-sensitive string value camelCasedName.

Bash
Copy

To search for the existence of a parsed field, use a colon followed by the asterisk *.

This example will return all log lines that have a value for the user field.

Bash
Copy

To search for a term match for a field value, use ==.

This example will return all lines with the exact name field value of bob, and will not match bobby.

Bash
Copy

Prefix search is set by default for all string fields. To search for an exact match for a field value, use ===.

This example will return all lines with the exact name field value of Bob, and will not match bob or Bobby.

Bash
Copy

You can search for log lines by size by using the mezmo_line_size field annotation. This example will return lines with a line-size greater than 4000 bytes.

Bash
Copy

You can create a search based on the size of specific log line by clicking the Line size value in the Log Viewer.

You can also create graphs based on mezmo_line_size as described in Create a Graph.

Colons

Since the colon is a reserved character for field search, quotes are required when searching for strings with colons in them.

This example will return all log lines with the string response: in them.

Bash
Copy

Combining Operators

You can combine operators to make your search more specific. This searches first for logs scanned from/var/log/syslog or that contain the word ERROR, then limits the results to node1.

Bash
Copy

This searches logs where the value stored in the status field is greater than 100 and less than 503.

Bash
Copy

Lists

Any whitespace between search terms is automatically interpreted as AND. For example, searching warning error returns logs containing both warning and error. The only exception is when using lists, which treat whitespace as a part of the search term. For example, searching message:[file, exists] will only search for instances of exists that are preceded by a space. Some other examples:

  • level:[warning,error] will return as normal.
  • level:[warning, error]with a space between warning and error, will search for entries of the field level which have "warning" or " error" with space included.
  • level:[warning,(error)] will search for entries of the field level which have "warning" or "(error)" with parenthesis included.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard