Unified search syntax

📘
Note
Unified Search Syntax is available for tenants created after December 5, 2024. If your Observe tenant was created before this date and you want to enable the new Unified Search Syntax, please reach out to Observe for assistance. Use the in-product Contact Support button to contact Observe for more information. On the left side navigation menu, click Docs & Support and Contact Support.

The unified search syntax simplifies keyword searches while providing users with precise control through highly specific search patterns.

Tokenization

Each input string is tokenized into keywords (tokens) by the following list of separators. Each token is considered a single keyword.

'[', ']', '<', '>', '(', ')', '{', '}',
'|', '!', ';', ',', '&', '?', '+', '\'', '"', '\n',
'\r', '\t', ' ', '=',
'/', ':', '@',  '.', '-','$', '#', '%', '\\', '_',
'~', '`', '^', '*',
0x1D, // Group Separator ASCII
0x1E, // Record Separator ASCII
0x1F, // Unit Separator ASCII
// Multi byte
'␝', // U+241D - Group Separator UTF-8
'␞', // U+241E - Record Separator UTF-8
'␟', // U+241F - Unit Separator UTF-8

This string, I20240912 18:04:10.088056 23943 core/src/handler.cpp:216] msg="ingest error" customer_id=1234567890 path=/v2/otel/v1/metrics request_id=c2cd80b32a04d384cbdae5e8c4cc80c5 ingest_error="decode_error: opentelemetry sum metric has no data points", is tokenized into the following keywords (tokens).

['I20240912', '18', '04', '10', '088056', '23943', 'core', 'src', 'handler', 'cpp', '216', 'msg', 'ingest', 'error', 'customer', 'id', '1234567890', 'path', 'v2', 'otel', 'v1', 'metrics', 'request', 'id', 'c2cd80b32a04d384cbdae5e8c4cc80c5', 'ingest', 'error', 'decode', 'error', 'opentelemetry', 'sum', 'metric', 'has', 'no', 'data', 'points']

Search for a single keyword

Search Syntax	Description
`filter log ~ error`	Searches the `log` column for the term `error`.

Search for multiple keywords

Search Syntax	Description
`filter log ~ <error message>`	Searches the `log` column for the terms `error` and `message`. Order of the terms doesn’t matter and it is the same as `filter log ~ error AND log ~ message`.
`filter log ~ "error message"`	Searches the `log` column for the exact phase `error message`. Order of the terms matters.

Queries with non-space separators symbols

Search Syntax	Description
`filter log ~ "error-level"`	Searches for token `error` immediately followed by `-` and then token `level`. Matches: `error-level`, `error-level: severe` Non-matches: `error level`, `error--level`, `level-error`

Substring search

Search Syntax	Description
`filter log ~ error`	Searches the `log` column for words containing `error`. This is a substring search. For example, any tokens or keywords containing `error`, `errors`, `fatalErrorCode`, `fatalError`, `errorCode` will be matched.
`filter log ~ error*`	Searches the `log` column for words starting with `error`. This is a prefix search. For example, any tokens or keywords starting with `error`, `errors`, `errorCode` will be matched.
`filter log ~ *error`	Searches the `log` column for words ending with `error`. This is a suffix search. For example, any tokens or keywords ending with `error`, `fatalError` will be matched.

Search on all fields

📘
Note
Specify a specific column to search in order to get results faster.

Search Syntax	Description
`filter * ~ error`	Searches all columns for the term `error`. It is the same as `filter * ~ <error>`.

Updated about 2 months ago