Unified Search Syntax¶

Note

Unified Search Syntax is available for tenants created after December 5, 2024. If your Observe tenant was created before this date and you want to enable the new Unified Search Syntax, please reach out to Observe for assistance. Use the in-product Contact Support button to contact Observe for more information. On the left side navigation menu, click Docs & Support, Contact Support, and Send Us a Message to contact an Observe Data Engineer.

The unified search syntax simplifies keyword searches while providing users with precise control through highly specific search patterns.

Tokenization¶

Each input string is tokenized into keywords (tokens) by the following list of separators. Each token is considered a single keyword.

'[', ']', '<', '>', '(', ')', '{', '}',
'|', '!', ';', ',', '&', '?', '+', '\'', '"', '\n',
'\r', '\t', ' ', '=',
'/', ':', '@',  '.', '-','$', '#', '%', '\\', '_',
'~', '`', '^', '*',
0x1D, // Group Separator ASCII
0x1E, // Record Separator ASCII
0x1F, // Unit Separator ASCII
// Multi byte
'␝', // U+241D - Group Separator UTF-8
'␞', // U+241E - Record Separator UTF-8
'␟', // U+241F - Unit Separator UTF-8

This string, I20240912 18:04:10.088056 23943 core/src/handler.cpp:216] msg="ingest error" customer_id=1234567890 path=/v2/otel/v1/metrics request_id=c2cd80b32a04d384cbdae5e8c4cc80c5 ingest_error="decode_error: opentelemetry sum metric has no data points", is tokenized into the following keywords (tokens).

['I20240912', '18', '04', '10', '088056', '23943', 'core', 'src', 'handler', 'cpp', '216', 'msg', 'ingest', 'error', 'customer', 'id', '1234567890', 'path', 'v2', 'otel', 'v1', 'metrics', 'request', 'id', 'c2cd80b32a04d384cbdae5e8c4cc80c5', 'ingest', 'error', 'decode', 'error', 'opentelemetry', 'sum', 'metric', 'has', 'no', 'data', 'points']

Searching for a single keyword¶

Search Syntax	Description
`filter log ~ error`	Searches the `log` column for the term `error`.

Searching for multiple keywords¶

Search Syntax	Description
`filter log ~ <error message>`	Searches the `log` column for the terms `error` and `message`. Order of the terms doesn’t matter and it is the same as `filter log ~ error AND log ~ message`.
`filter log ~ "error message"`	Searches the `log` column for the exact phase `error message`. Order of the terms matters.

Queries with non-space separators symbols¶

Search Syntax	Description
`filter log ~ "error-level"`	Searches for token `error` immediately followed by `-` and then token `level`. Matches: `error-level`, `error-level: severe` Non-matches: `error level`, `error--level`, `level-error`

Substring search¶

Search Syntax	Description
`filter log ~ error`	Searches the `log` column for words containing `error`. This is a substring search. For example, any tokens or keywords containing `error`, `errors`, `fatalErrorCode`, `fatalError`, `errorCode` will be matched.
`filter log ~ error*`	Searches the `log` column for words starting with `error`. This is a prefix search. For example, any tokens or keywords starting with `error`, `errors`, `errorCode` will be matched.
`filter log ~ *error`	Searches the `log` column for words ending with `error`. This is a suffix search. For example, any tokens or keywords ending with `error`, `fatalError` will be matched.

Boolean search¶

Search Syntax	Description
`filter log ~ <error or fatal>`	Searches the `log` column for the term `error` or `fatal`. It is the same as `filter log ~ error or log ~ fatal` or `filter log ~ <error> or log ~ <fatal>`.
`filter log ~ <not fatal>`	Searches the `log` column not containing the term `fatal`. It is the same as `filter log !~ fatal` or `filter log !~ <fatal>`.

Search on all fields¶

Warning

Users are strongly advised to specify a specific column to search in order to get results faster

Search Syntax	Description
`filter * ~ error`	Searches all columns for the term `error`. It is the same as `filter * ~ <error>`.

Migrate to Unified Search Syntax