The where command filters the search results. It only returns results that match the specified conditions.
The where command has the following syntax:
where <boolean-expression>The where command supports the following parameters.
| Parameter | Required/Optional | Description |
|---|---|---|
<boolean-expression> |
Required | The condition used to filter the results. Only rows in which this condition evaluates to true are returned. |
The following query finds all log entries with a severity level above INFO (severityNumber > 9), filtering out routine logs to focus on warnings and errors:
source=otellogs
| where severityNumber > 9
| sort severityNumber, `resource.attributes.service.name`
| fields severityText, severityNumber, `resource.attributes.service.name`
The query returns the following results:
fetched rows / total rows = 11/11
+--------------+----------------+----------------------------------+
| severityText | severityNumber | resource.attributes.service.name |
|--------------+----------------+----------------------------------|
| WARN | 13 | frontend-proxy |
| WARN | 13 | frontend-proxy |
| WARN | 13 | product-catalog |
| WARN | 13 | product-catalog |
| ERROR | 17 | checkout |
| ERROR | 17 | checkout |
| ERROR | 17 | frontend-proxy |
| ERROR | 17 | payment |
| ERROR | 17 | payment |
| ERROR | 17 | product-catalog |
| ERROR | 17 | recommendation |
+--------------+----------------+----------------------------------+
The following query narrows down errors to a specific service during an incident investigation, combining severity and service name conditions with AND:
source=otellogs
| where severityNumber >= 17 AND `resource.attributes.service.name` = 'payment'
| fields severityText, severityNumber, `resource.attributes.service.name`
The query returns the following results:
fetched rows / total rows = 2/2
+--------------+----------------+----------------------------------+
| severityText | severityNumber | resource.attributes.service.name |
|--------------+----------------+----------------------------------|
| ERROR | 17 | payment |
| ERROR | 17 | payment |
+--------------+----------------+----------------------------------+
The following query retrieves all warnings and errors using OR to match either condition:
source=otellogs
| where severityText = 'WARN' or severityText = 'ERROR'
| fields severityText, `resource.attributes.service.name`, body
| head 5
The query returns the following results:
fetched rows / total rows = 5/5
+--------------+----------------------------------+----------------------------------------------------------------------------------------+
| severityText | resource.attributes.service.name | body |
|--------------+----------------------------------+----------------------------------------------------------------------------------------|
| WARN | product-catalog | Slow query detected: SELECT * FROM products WHERE category = 'electronics' took 3200ms |
| ERROR | payment | Payment failed: connection timeout to payment gateway after 30000ms |
| ERROR | checkout | NullPointerException in CheckoutService.placeOrder at line 142 |
| ERROR | payment | Out of memory: Java heap space - shutting down pod payment-6f8d4b-ht7q3 |
| WARN | product-catalog | Connection pool 80% utilized on database replica db-replica-02 |
+--------------+----------------------------------+----------------------------------------------------------------------------------------+
The LIKE operator enables pattern matching on string fields using wildcards.
The following query uses a percent sign (%) to find all services starting with frontend:
source=otellogs
| where LIKE(`resource.attributes.service.name`, 'frontend%')
| fields severityText, `resource.attributes.service.name`, body
| head 3
The following query finds all logs from services containing product in their name:
source=otellogs
| where LIKE(`resource.attributes.service.name`, '%product%')
| fields severityText, `resource.attributes.service.name`, body
| head 3
The query returns the following results:
fetched rows / total rows = 3/3
+--------------+----------------------------------+----------------------------------------------------------------------------------------+
| severityText | resource.attributes.service.name | body |
|--------------+----------------------------------+----------------------------------------------------------------------------------------|
| WARN | product-catalog | Slow query detected: SELECT * FROM products WHERE category = 'electronics' took 3200ms |
| WARN | product-catalog | Connection pool 80% utilized on database replica db-replica-02 |
| DEBUG | product-catalog | gRPC call /ProductCatalogService/GetProduct completed in 12ms |
+--------------+----------------------------------+----------------------------------------------------------------------------------------+
The following query uses a NOT operator to exclude routine informational and debug logs, focusing on warnings and errors that need attention:
source=otellogs
| where NOT severityText IN ('INFO', 'DEBUG')
| sort severityNumber, `resource.attributes.service.name`
| fields severityText, `resource.attributes.service.name`, body
| head 4
The query returns the following results:
fetched rows / total rows = 4/4
+--------------+----------------------------------+-------------------------------------------------------------------------------------------+
| severityText | resource.attributes.service.name | body |
|--------------+----------------------------------+-------------------------------------------------------------------------------------------|
| WARN | frontend-proxy | SSL certificate for api.example.com expires in 14 days |
| WARN | frontend-proxy | Rate limit threshold reached: 450/500 requests per minute for API key ending in ...abc789 |
| WARN | product-catalog | Slow query detected: SELECT * FROM products WHERE category = 'electronics' took 3200ms |
| WARN | product-catalog | Connection pool 80% utilized on database replica db-replica-02 |
+--------------+----------------------------------+-------------------------------------------------------------------------------------------+
The following query uses an IN operator to match multiple severity levels at once, retrieving all errors and warnings for incident response:
source=otellogs
| where severityText IN ('ERROR', 'WARN')
| sort severityNumber, `resource.attributes.service.name`
| fields severityText, `resource.attributes.service.name`, body
The query returns the following results:
fetched rows / total rows = 11/11
+--------------+----------------------------------+----------------------------------------------------------------------------------------------+
| severityText | resource.attributes.service.name | body |
|--------------+----------------------------------+----------------------------------------------------------------------------------------------|
| WARN | frontend-proxy | SSL certificate for api.example.com expires in 14 days |
| WARN | frontend-proxy | Rate limit threshold reached: 450/500 requests per minute for API key ending in ...abc789 |
| WARN | product-catalog | Slow query detected: SELECT * FROM products WHERE category = 'electronics' took 3200ms |
| WARN | product-catalog | Connection pool 80% utilized on database replica db-replica-02 |
| ERROR | checkout | NullPointerException in CheckoutService.placeOrder at line 142 |
| ERROR | checkout | Kafka producer delivery failed: message too large for topic order-events (max 1048576 bytes) |
| ERROR | frontend-proxy | [2024-02-01T09:20:00.456Z] "POST /api/checkout HTTP/1.1" 503 - 0 30000 checkout-8d4f7b-mk2p9 |
| ERROR | payment | Payment failed: connection timeout to payment gateway after 30000ms |
| ERROR | payment | Out of memory: Java heap space - shutting down pod payment-6f8d4b-ht7q3 |
| ERROR | product-catalog | Database primary node unreachable: connection refused to db-primary-01:5432 |
| ERROR | recommendation | Failed to process recommendation request: invalid product ID from 203.0.113.50 |
+--------------+----------------------------------+----------------------------------------------------------------------------------------------+
The following query finds logs that have instrumentation scope metadata:
source=otellogs
| where NOT ISNULL(instrumentationScope.name)
| fields severityText, instrumentationScope.name
The query returns the following results:
fetched rows / total rows = 4/4
+--------------+-----------------------------------------------------------------------------+
| severityText | instrumentationScope.name |
|--------------+-----------------------------------------------------------------------------|
| INFO | @opentelemetry/instrumentation-http |
| INFO | Microsoft.Extensions.Hosting |
| WARN | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc |
| ERROR | @opentelemetry/instrumentation-http |
+--------------+-----------------------------------------------------------------------------+
The following query investigates a specific service's errors by combining severity conditions with a service filter, using parentheses to control evaluation order:
source=otellogs
| where (severityText = 'ERROR' OR severityText = 'WARN') AND `resource.attributes.service.name` = 'payment'
| sort severityNumber
| fields severityText, `resource.attributes.service.name`, body
The query returns the following results:
fetched rows / total rows = 2/2
+--------------+----------------------------------+-------------------------------------------------------------------------+
| severityText | resource.attributes.service.name | body |
|--------------+----------------------------------+-------------------------------------------------------------------------|
| ERROR | payment | Payment failed: connection timeout to payment gateway after 30000ms |
| ERROR | payment | Out of memory: Java heap space - shutting down pod payment-6f8d4b-ht7q3 |
+--------------+----------------------------------+-------------------------------------------------------------------------+