Build a Query
New Log Search is available for Open Preview
We are rolling out a new Log Search experience to customers with an open preview starting January 31st, 2023. You can still use original Log Search during this open preview. Both the original and New Log Search will exist in parallel until development is complete. For now, review the topic on new Log Search and navigate to the Log Search Open Preview page in InsightIDR to become familiar with the new layout. Check back soon for fully updated documentation.
InsightIDR allows users different ways of searching their data, including Regex, String, KeyValue, or Keyword search. This document will explain the basics of searching operations in InsightIDR.
Log Entry Query Language (LEQL)
Our powerful search language Log Entry Query Language (LEQL) allows you to construct queries that can extract the hidden data within your logs.
LEQL follows a SQL-style syntax and constructing a query is simple and intuitive. Each search must begin with a
where() statement. You can then insert your query inside of the
where() statement. If you want to search logs without using LEQL, use the simple mode on the LEQL Query Bar.
The LEQL Query Bar has three modes. Simple mode allows you to build queries by selecting the desired functions and keys with your mouse.
Advanced mode allows you to enter the full query using a Search Language. Experienced users may find this mode faster, but the syntax is strict and you must remember the different analytic functions available.
You can press the Down Key to see and load sample queries when the text box is empty.
You can switch between the simple and the advanced mode by clicking the mode switcher to the left of the query bar. If you find yourself in the advanced mode with an invalid query, the system will prevent you from returning to the simple mode. To return to the simple mode, delete the query or fix the syntax errors.
If you need help writing queries, you can recreate queries based off of the provided Example Queries.
Learn how to use Visual Search to visualize your data.
Saved Searches and Queries
If you want to return to a query, use the Save button to the right of the query bar.
To see saved searches and queries, select the Queries dropdown to the left of the query bar.
You can edit these searches as needed by selecting the Pencil icon, or you can delete them with the Trash icon.
You can use both logical and comparison operators that allow you to create more complex searches. The below guide will introduce both sets of operators available to use while constructing a query.
You can use the following logical operators to create comprehensive search criteria. Logical operators are treated as case-insensitive by LEQL.
expr1 AND expr2
Returns log events that match both criteria
expr1 OR expr2
Returns log events that match one or both criteria
expr1 NOT expr2
Returns log events that match expr1 but not expr2
Comparison operators can be used for KVP search and Regular Expression search.
Returns log events where the key values are the same. Use this operator to compare keys. You can compare strings or numeric values.
Returns log events where the key values are not the same. You can input strings or numeric values.
Returns log events where the key equals a specific value. You can input a numeric or string value.
Returns log events that are less than the specified value. You can input a numeric value or key.
Returns log events that are less than or equal to the specified value. You can input a numeric value or a key.
Returns log events that are greater than the specified value. You can input a numeric value or a key.
Format numerical values
Numerical values must be formatted as an integer, floating-point value, or in scientific notation to be properly recognized. Units are not calculated as part of the comparison. For example, searching for a value<100bytes would not return a result with value=200bits.