Log Query Language (LogQL)
To create custom queries, use LogQL in the log query input box of the Global Search. LogQL can be considered a distributed grep that aggregates log sources. LogQL uses labels and operators for filtering.
A basic log query consists of two parts:
-
Log stream selector
-
Log pipeline
Log Stream Selector
The log stream selector determines which log streams should be included in your query results. The stream selector is comprised of one or more key-value pairs, where each key is a log label and each value is that label’s value. The log stream selector is written by wrapping the key-value pairs in a pair of curly braces:
{logType="fgt/traffic", adomid="3"}
In the example above, all log streams that have a label of logType
, whose value is fgt/traffic
and a label of “adomid
” whose value is 3
will be included in the query results. This will match any log stream whose labels contains at least 3
for their adomid
label. If there are multiple streams that contain that label, logs from all of the matching streams will appear in the results.
The =
operator after the label name is a label matching operator. The following label matching operators are supported:
- =: Equals exactly
- !=: Not equal
Log Pipeline
Optionally, the log stream selector can be followed by a log pipeline. A log pipeline is a set of stage expressions chained together and applied to the selected log streams.
A log pipeline can be appended to a log stream selector to further process and filter log streams. This usually consists of one or multiple expressions, each expression is executed in sequence for each log line. If an expression filters out a log line, the pipeline will stop at this point and start processing the next line. An expression is a SQL-where-clause-like condition.
{logType="fgt/traffic", appcat="Collaboration"} | osname ILIKE 'windows%' AND dstinetsvc IREGEXP '^.*gmail.*' AND sentbyte > 10000000
In the example above , the condition will filter out the FortiGate traffic Collaboration app category log messages when the OS name contains “windows
” in the beginning and destination internet service matches Gmail
and sent bytes is greater than 10000000
10MB).
The following operators are supported in the Log Pipeline expression:
Operator | Description |
---|---|
=, !=, <, <=, >, >= | Comparison operators. |
AND, OR, NOT | Logical operators. |
BETWEEN ... AND … | Compares to both a lower (>=) and upper (<=) bound. |
IN | Compares an argument value to a set of values and returns TRUE if the argument matches any value in the set. NOT IN reverses the comparison. |
LIKE | Comparison operator for STRING, with basic wildcard capability using _ to match a single character and % to match multiple characters. |
ILIKE | Case insensitive LIKE. |
REGEXP |
Tests whether an argument value matches a regular expression. Uses the POSIX regular expression syntax where ^ and $ match the beginning and end of the string:
|
IREGEXP | Case insensitive REGEX. |