Live Tail Query Language
Information about our query language you can use in Live Tail. Unsure how to construct your queries? Send us a message at [email protected]!
The Logtail Query Language is what powers searching on Live Tail. The query language is designed to be straightforward to use and powerful at the same time.
​
There are two main modes to use the query language in:

Simple queries

Simple queries are what you're used to from search engines - queries like these are all supported.
  • "hello world"
  • Started
  • 404
  • "https://example.com/abcd"
When you use a simple query, we search all columns that match the query type with a fulltext query, case insensitive. This means that if you search for Hello, we can find logs like
{
message_string: "Hello world!",
}
and
{
article_published_at: "2021-05-26T13:32:01Z",
article_title: "The band Hello announced a new tour!"
}
​
​

Compound queries

Compound queries follow a more rigid structure, and allow for chaining query clauses in a single search. Compound queries are composed of clauses optionally chained with a conjunction operator. You can also use parentheses to give preference to the queries.
An example of a compound query is:
  • vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500
In the example query, there are two query clauses joined by an AND cojunction operator.
A compound query clause consists of a column, an operator, and a value. In the case of the previous query, the first clause has
  • vercel.proxy.status_code_integer as the column,
  • >= as the operator, and
  • 400 as the value

Query clause format

You can use any columns you sent us in a compound query clause.
This is the operator list currently supported:
  • Operators applicable to all column types
    • = equals
    • != not equals
  • String-specific operators
    • : contains
    • !: not contains
  • Integer and Float-specific operators
    • >= greater than or equal
    • <= less than or equal
    • > greater than
    • < less than
The value of a query clause can be either a simple text, or a more complex text surrounded by quotes. Here are some examples:
  • hello
  • "Hello World"
  • 500
​
Note that query clause values don't support asterisks (*) or question marks (?) for regex matching. These queries are therefore not valid:
  • vercel.proxy.status_code_integer>=4??
  • vercel.proxy.status_code_integer>=4*
In most cases, you can achieve the expected result with query chaining, like
  • vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500
​
We support two conjunction operators: AND and OR. You can also query for compound queries without using either of those, in which case we assume the AND operator. This means that this query
vercel.proxy.status_code_integer>=400 AND vercel.proxy.status_code_integer<500
behaves the same as this one
vercel.proxy.status_code_integer>=400 vercel.proxy.status_code_integer<500
​
Note that it's currently not possible to chain Simple and Compound queries - if you tried something like vercel.proxy.status_code_integer>=400 AND "Hello World", we fallback to parsing this as a simple query, matching the entire query contents against your columns.
​

fulltext column

Because chaining simple and compound queries is not supported, we have a special column to specify the fulltext search behavior present in simple queries: fulltext. The usage is the same as with other columns - the difference is that when we encounter this column, we search all columns in the same way as the simple queries do.
These queries are therefore equivalent:
  • Hello world
  • fulltext:"Hello world"
You can use =, !=, : and !: operators with the fulltext column.
You can use the special fullext column to make wider searches while maintaining filters imposed by other clauses, for example
vercel.proxy.status_code_intetger>=400 AND \
vercel.proxy.status_code_intetger>=400 AND \
fulltext:"Record Not Found"
​