Build a Query

InsightIDR allows users different ways of searching their data, including Regex, String, KeyValue, or Keyword search. This document will explain the basics of searching operations in InsightIDR.

basic

Log Entry Query Language (LEQL)

Our powerful search language Log Entry Query Language (LEQL) allows you to construct queries that can extract the hidden data within your logs.

LEQL follows a SQL-style syntax and constructing a query is simple and intuitive. Each search must begin with a where() statement. You can then insert your query inside of the where() statement. If you want to search logs without using LEQL, use the simple mode on the LEQL Query Bar.

basic

Simple Mode

The LEQL Query Bar has three modes. Simple mode allows you to build queries by selecting the desired functions and keys with your mouse.

Advanced Mode

Advanced mode allows you to enter the full query using a Search Language. Experienced users may find this mode faster, but the syntax is strict and you must remember the different analytic functions available.

You can press the Down Key to see and load sample queries when the text box is empty.

You can switch between the simple and the advanced mode by clicking the mode switcher to the left of the query bar. If you find yourself in the advanced mode with an invalid query, the system will prevent you from returning to the simple mode. To return to the simple mode, delete the query or fix the syntax errors.

If you need help writing queries, you can recreate queries based off of the provided Example Queries.

Visual Mode

Learn how to use Visual Search to visualize your data.

Saved Searches and Queries

If you want to return to a query, use the Save button to the right of the query bar.

To see saved searches and queries, select the Queries dropdown to the left of the query bar.

You can edit these searches as needed by selecting the Pencil icon, or you can delete them with the Trash icon.

Operators

You can use both logical and comparison operators that allow you to create more complex searches. The below guide will introduce both sets of operators available to use while constructing a query.

Logical Operators

You can use the following logical operators to create comprehensive search criteria. Please note that when constructing a Search Query all operators should be typed in UPPERCASE.

Logical Operator

Example

Description

"AND"

expr1 AND expr2

Returns log events that match both criteria

"OR"

expr1 OR expr2

Returns log events that match one or both criteria

“NOT"

expr1 NOT expr2

Returns log events that match expr1 but not expr2

Comparison Operators

Comparison operators can be used for KVP search and Regular Expression search.

Comparison Operator

Example

Description

==

KeyA==KeyB

Returns log events where the key values are the same. Use this operator to compare keys. You can compare strings or numeric values.

!==

KeyA!==KeyB

Returns log events where the key values are not the same. You can input strings or numeric values.

=

KeyA=3

Returns log events where the key equals a specific value. Use this to compare keys. You can input a numeric or string value.

<

KeyA3

Returns log events that are less than the specified value. You can input a numeric value or key.

<=

KeyA<=KeyB or KeyA<=3

Returns log events that are less than or equal to the specified value. You can input a numeric value or a key.

KeyA>KeyB or KeyA>3

Returns log events that are greater than the specified value. You can input a numeric value or a key.

=

KeyA>=KeyB or KeyA>=3

Returns log events that are greater than or equal to the specified value. You can input a numeric value or a key.

Format numerical values

Numerical values must be formatted as an integer, floating-point value, or in scientific notation to be properly recognized. Units are not calculated as part of the comparison. For example, searching for a value<100bytes would not return a result with value=200bits.