Skip to main content
Skip table of contents

Inspecting the Logs: Tips & Tricks

On this page, we have compiled some helpful tips & tricks that may help you when working with the Scheer PAS Log Analyzer.

Tips for Search Queries

Searching for Terms

To search for a phrase (an ordered sequence of words), surround your text with quotation marks:

CODE 
"dev stack timeout reached"

If you only want to find log entries if all search terms match, place an AND between the terms:

CODE 
Ticketcreation AND calling AND onUnhandledError

Searching in Fields

You can search for text in a particular field. Specify the field name before the colon to do so:

CODE 
log.domain: RESTLM

Also possible:

CODE 
log.domain:RESTLM

DQL ignores white space characters. Use wildcards (DQL only supports *) to refer to field names containing spaces.

The field prefix refers only to the term that follows the colon:

CODE 
message:Ticketcreation OR OrderApproval

This query returns results where the content in field message contains the term Ticketcreation and results where the content in any field contains the term OrderApproval.

If you want to get results in which one field contains either one search term or the other, group the terms in parentheses:

CODE 
message:(Ticketcreation OR OrderApproval)

This query returns results where the content in field message contains the term Ticketcreation or the term OrderApproval. You can also write:

CODE 
message:Ticketcreation OR message:OrderApproval

Boolean Operators

The Boolean operators and, or and not are supported by DQL:

CODE 
error OR onUnhandledError

DQL is not case sensitive, e.g. OR and or are the same.

Multiple grouping levels are possible:

CODE 
message:((error OR onUnhandledError) AND NOT arrow_Relation)

You can search for โ€œnot equalโ€ by using not and the field name:

CODE 
not service:ticketsystem

This query returns results where the content in field service is not ticketsystem, but also results where field service is empty or not present.

CODE 
service:* and not service:ticketsystem

This query returns results where the content in field service does not contain the term ticketsystem.

Wildcards

DQL supports wildcards (only * is supported) in search terms and field names:

CODE 
message:create*
m*ss*:cre*

Search Languages: DQL vs. Lucene

By default, the Dashboard Query Language (DQL), a text-based query language is used to search for log documents. Expand below for how to switch to Lucene.

How to use Lucene instead of DQL (show | hide)

By default, the Dashboard Query Language (DQL) is used:

grafik-20250207-131104.png

Reserved Characters in DQL

The following characters are reserved in DQL:

\ ( ) : < > โ€œ *

To escape reserved characters, use a backslash: \

DQL searches the field(s) set as the default field(s) on the index. If no default field is set, DQL searches all fields.
Refer to Working With the Log Analyzer for details on how to change the default fields.

There is a second language available. When you click DQL and disable option OpenSearch Dashboards Query Language, you can switch to Lucene:

grafik-20250207-132335.png

Reserved Characters in Lucene

In Lucene, hyphens are reserved characters.
If your search term contains hyphens, DQL prompts you to switch to Lucene syntax. To avoid this, surround your search term with quotation marks in a phrase search or omit the hyphen in a regular search.

The following table illustrates the differences between DQL and Lucene:

DQL and Lucene

DQL

Lucene

  • Wildcard expressions (DQL: only * is supported)

  • Ranges

  • Boolean operations

  • Querying nested fields

  • Regular expressions

  • Fuzziness

  • Proximity queries

  • Boosting

Related Content

Related Pages:

Related Documentation:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close