Search Syntax
Logchef provides a simple yet powerful search syntax called LogchefQL that makes it easy to find exactly what you’re looking for in your logs.
Basic Syntax
Section titled “Basic Syntax”The basic syntax follows a simple key-value pattern:
key="value"For example:
level="error"service="payment-api"Operators
Section titled “Operators”LogchefQL supports a comprehensive set of operators for different use cases:
Equality Operators
Section titled “Equality Operators”| Operator | Description | Example |
|---|---|---|
= | Equals | status=200 |
!= | Not equals | level!="debug" |
Pattern Matching Operators
Section titled “Pattern Matching Operators”| Operator | Description | Example |
|---|---|---|
~ | Contains (case-insensitive) | message~"timeout" |
!~ | Does not contain | path!~"health" |
Comparison Operators
Section titled “Comparison Operators”| Operator | Description | Example |
|---|---|---|
> | Greater than | status>400 |
< | Less than | response_time<1000 |
>= | Greater than or equal to | severity_number>=3 |
<= | Less than or equal to | duration<=5000 |
Combining Conditions
Section titled “Combining Conditions”You can combine multiple conditions using and and or operators (case-insensitive):
# Find errors in payment servicelevel="error" and service="payment-api"
# Find successful or redirected responsesstatus=200 or status=301
# Complex combinations with parentheses(service="auth" or service="users") and level="error"
# Find slow requests with errorsresponse_time>1000 and status>=500Nested Field Access
Section titled “Nested Field Access”LogchefQL supports accessing nested fields using dot notation. This works seamlessly with:
- Map columns (e.g.,
Map(String, String)) - JSON columns
- String columns containing JSON
Dot Notation
Section titled “Dot Notation”Access nested keys using dots:
# Access nested field in a Map columnlog_attributes.user_id="12345"
# Multi-level nestinglog_attributes.request.method="POST"
# Pattern matching on nested fieldslog_attributes.error.message~"connection refused"Quoted Field Names
Section titled “Quoted Field Names”For field names containing special characters (like dots), use quotes:
# Field name contains a literal dotlog_attributes."user.name"="alice"
# Mixed notationlog_attributes."nested.key".subfield="value"Pipe Operator (Custom SELECT)
Section titled “Pipe Operator (Custom SELECT)”The pipe operator (|) allows you to select specific columns instead of the default SELECT *. This is useful for:
- Reducing data transfer
- Focusing on relevant fields
- Extracting specific nested values
Syntax
Section titled “Syntax”<filter conditions> | <field1> <field2> ...Examples
Section titled “Examples”# Select only service_name from syslog namespacenamespace="syslog" | service_name
# Select multiple fieldsnamespace="prod" | namespace service_name body
# Select nested fieldslevel="error" | timestamp log_attributes.request_id body
# Extract specific nested valuesservice="api" | timestamp log_attributes.user_id log_attributes.endpointThe selected fields appear as columns in the result set, making it easy to focus on the data you need.
Examples
Section titled “Examples”Finding Errors
Section titled “Finding Errors”level="error"HTTP Status Codes
Section titled “HTTP Status Codes”# Server errorsstatus>=500
# Client errorsstatus>=400 and status<500
# Successful requestsstatus=200Service-specific Logs
Section titled “Service-specific Logs”service="payment-api" and level="error"Partial Text Search
Section titled “Partial Text Search”# Find logs containing "timeout"message~"timeout"
# Find paths not containing "internal"path!~"internal"Performance Analysis
Section titled “Performance Analysis”# Slow requests (over 1 second)response_time>1000
# Very fast requests (under 10ms)response_time<10Nested Field Queries
Section titled “Nested Field Queries”# Filter by nested attributelog_attributes.user_id="user-123"
# Pattern match in nested JSONbody~"error" and log_attributes.request.method="POST"Under the Hood
Section titled “Under the Hood”When you use LogchefQL, Logchef converts it to optimized ClickHouse SQL queries:
- The
~and!~operators use ClickHouse’spositionCaseInsensitivefunction for efficient partial matches - Nested field access on Map columns uses subscript notation:
column['key'] - Nested field access on JSON/String columns uses
JSONExtractString - A default time range and limit is automatically applied
- Results are ordered by timestamp in descending order
For example, this search:
level="error" and log_attributes.user_id="12345"Gets converted to (for a table with log_attributes as a Map column):
SELECT *FROM logs.appWHERE (`level` = 'error') AND (`log_attributes`['user_id'] = '12345') AND timestamp BETWEEN toDateTime('2025-04-07 14:20:42', 'UTC') AND toDateTime('2025-04-07 14:25:42', 'UTC')ORDER BY timestamp DESCLIMIT 100And with the pipe operator:
level="error" | timestamp level bodyGenerates:
SELECT `timestamp`, `level`, `body`FROM logs.appWHERE `level` = 'error' AND timestamp BETWEEN toDateTime('2025-04-07 14:20:42', 'UTC') AND toDateTime('2025-04-07 14:25:42', 'UTC')ORDER BY timestamp DESCLIMIT 100SQL Mode
Section titled “SQL Mode”For advanced queries that go beyond LogchefQL’s capabilities, you can switch to SQL Mode in the query editor. This gives you full access to ClickHouse SQL, including:
- Aggregations (
COUNT,SUM,AVG, etc.) - Subqueries
- Joins
- Custom functions
- Complex expressions
In SQL mode, your query is executed exactly as written—time range and limit controls are disabled since you have full control over the SQL.
Tips for Effective Queries
Section titled “Tips for Effective Queries”- Start specific, then broaden: Begin with specific conditions and remove filters to expand results
- Use parentheses for complex logic:
(a or b) and cis clearer than relying on operator precedence - Leverage nested field access: Don’t flatten your logs—query them directly
- Use the pipe operator: Select only the fields you need for faster queries
- Switch to SQL mode: For aggregations and advanced analysis