Query Language
An loglark query is composed of series filters separate by |
operator. In the simplest form query consists only from a single
filter and doesn't have | operator at all.
filter1 | filter2 | ... | filterN
Matching
All log records are considered as json documents. Filter matches if it matches either field name or field value.
For example, following ...
{"bar":"foo"}
| regexp | matches | why |
|---|---|---|
bar | yes | Field name bar matches. |
ba. | yes | Field name bar matches. |
"bar" | no | Matching is done on bare field name, without surrounding quotes. Regxep "bar" doesn't match bare field name bar or bare value foo |
foo | yes | Field value foo matches. |
"foo" | no | Matching is done on bare field value, without surrounding quotes. |
bar.*foo | no | Only field names or field values are matched. It is not possible to match substring that spans across name or value boundary. |
Reserved Keywords and Operators
Following keywords and operators are reserved:
andandor(and)-
|
They have special meaning and cannot be used as a search literal. If
you need to find records containing reserved word, quote it with
double quotes: "and", "(", etc.
Filter Types
Literal
The simplest filter is a literal filter. It is a simple substring search, which selects all matching records. There are two types of literals: bare and quoted.
Bare Literal
If search term starts from [a-zA-Z0-9] and contains only
[a-zA-Z0-9._-], then you can use it directly as filter. However, to
avoid confusion it is usually beter to put quotes explicitly.
Examples:
hello
world_42
Quoted Literal
For all other substring seaches use quoted literal. Both single and double quotes are supported. There is no difference between the two. You can use usual escapes as well:
| Escape | Meaning |
|---|---|
"\x68" | h |
"\u0068" | h |
"\u68" | h |
"\" | \ |
"\"" | " |
'\'' | ' |
Examples:
"hello, world!"
"こんにちは"
Regexp
Of course, you can use regexp to filter log records. Loglark supports
The following regex constructs are supported by loglark:
-
Literal characters and strings, with all PCRE quoting and character escapes.
-
Character classes such as
.,[abc], and[^abc], as well as the predefined character classes\s,\d,\w,\v, and\hand their negated counterparts (\S,\D,\W,\V, and\H). -
The POSIX named character classes
[[:xxx:]]and negated named character classes[[:^xxx:]]. -
Unicode character properties, such as
\p{L},\P{Sc},\p{Greek}. -
Quantifiers:
a) Quantifiers such as
?,*and+are supported when applied to arbitrary supported sub-expressions.b) Bounded repeat qualifiers such as
{n},{m,n},{n,}are supported with limitations. -
Parenthesization, including the named and unnamed capturing and non-capturing forms. However, capturing is ignored.
-
Alternation with the
|symbol, as infoo|bar. -
The anchors
^,$,\A,\Zand\z.