Search¶

Text Search¶

Search generally consists of terms and operators. Wildcard queries are supported:

• * matches 0 or more arbitrary characters;
• ? matches 1 arbitrary character.

Multiple terms can be combined into complex queries using Boolean operators (AND/OR/NOT).

Terms can be single words or phrases. For example:

• Single word: platform;
• Multiple words: platform test; (equivalent to platform AND test)
• Phrase: "platform test"; (using double quotes converts a group of words into a phrase)

JSON Search¶

By default, an exact search is performed on the content of message, and message must be in JSON format. Log content in other formats does not support this search method. The search format is: @key:value. For multi-level JSON, use . to connect key names, such as @key1.key2:value, as shown in the figure:

Example Scenario:

message information as follows:
{
    __namespace:tracing,
    cluster_name_k8s:k8s-demo,
    meta:{    
        service:ruoyi-mysql-k8s,
        name:mysql.query,
        resource:select dict_code, dict_sort, dict_label, dict_value, dict_type, css_class, list_class, is_default, status, create_by, create_time, remark 
                from sys_dict_data
 }
}

# Query cluster_name_k8s = k8s-demo
@cluster_name_k8s:k8s-demo     // Exact match
@cluster_name_k8s:k?s*        // Fuzzy match

# Query meta.service = ruoyi-mysql-k8s
@meta.service:ruoyi-mysql-k8s   // Exact match
@meta.service:ruoyi?mysql*   // Fuzzy match

Special Scenario .¶

Field name with dot . processing specification: The parser recognizes . as a hierarchical operator during lexical analysis, and \ is the only valid escape character. Double quotes are disabled due to syntax conflicts.

Core Rules¶

1. In JSON queries under Doris and ScopeDB modes, . represents nested field levels (e.g., @error.detail.code:500 represents a three-level nested structure).

2. When the field name itself contains . (e.g., trace.id), use a backslash \ to escape:

   • Correct format: @field_name\.with\.dots:value, such as @trace\.id:12345, @app\.version:2.1

3. Prohibited Actions

   • Directly using unescaped dots: @trace.id:12345 (will be parsed as nested fields)

   • Wrapping field names in double quotes: @"trace.id":12345 (not supported across the board)

Usage Examples Comparison¶

MD5 Function Query¶

If the data is MD5 encrypted and needs to be searched and located in the Explorer after scanning, you can use the MD5 function for queries.

Query Example

color:md5|red

queryString(md5

You can also use DQL statements combined with the MD5 function for queries:

your_md5_field = md5('secret')

DQL Query¶

Click the DQL button on the right side of the search bar to enter DQL Query mode:

In different Explorers, the data source is displayed based on the category and cannot be changed. For example, in the Log Explorer, the default query format is L(‘index_name’)::.

CIDR Function Query¶

Using the CIDR function, you can precisely match IP addresses in logs and query time content within fields.

Query Example

CIDR(@network.client.ip, 13.0.0.0/8)

Search History¶

The system records the conditions for each triggered query, and you can directly reuse the query by clicking on it.

Further Reading¶