> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chronosphere.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Search and filter log data

Logs Explorer lets you filter log data to focus your search. When you first open Logs
Explorer, results display for all log data received in the last hour.

To normalize data for consistent filtering, Chronosphere maps your data to the
`service`, `severity`, and `message` fields. Expand any of the displayed logs to show
these fields, along with any custom fields your data contains.

By default, the **Summary** column displays the contents of the `message` field. If
the `message` field isn't normalized, then the entire payload for each log displays
in the **Summary** column. To parse the payload and direct certain contents into the
`message` field,
[create a field parser](/control/shaping/shape-logs/parse-logs#create-field-parsers).

To filter your data, start with [basic queries](#filter-data-with-basic-queries). You
can then use the [query syntax](/investigate/querying/query-logs/query-syntax) to
filter on attributes in your data, such as a particular environment or cluster name.
If you know details about the data you're searching for, try using
[advanced queries](#filter-data-with-advanced-queries).

<Note>
  For optimal performance, Chronosphere recommends always including a primary
  [key](/investigate/querying/query-logs/query-syntax#keys) in your filter, such as
  `service` or `severity`.
</Note>

## Filter data with basic queries

Use this method of selecting individual keys or values to query logs from a broad
scope to a narrow focus. The following steps are recommended methods of querying. You
can choose to start with a different key or value based on what you're searching for.

To use basic querying:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.

2. On the **Logs Explorer** page, use the
   [time range selector](/navigate/time-ranges) to select a time
   window to display logs for. The default time window is the last hour.

3. Define your query. You can use the sidebar, query box, or a combination of both to
   specify your query criteria. You can also click individual keys or values within
   a selected log.

   * **Sidebar**: Expand the key you want to query on. Hold the pointer over the
     value you want to include or exclude from your filter. Click the equals operator
     (`=`) to include the value, or the does not equal operator (`!=`) to exclude the
     value.

     For example, expand the `severity` key and click the equals operator next to
     **ERROR**, which adds that expression to your filter.

     ```text theme={null}
     severity = "ERROR"
     ```

     For additional options, click the <Icon icon="ellipsis-vertical" /> three
     vertical dots icon next to a field name. For example, click
     **Pin this field to top of field list** to pin the selected field to the top of
     the list of fields, which makes the field always visible.

     You can also pin entire logs to the top of the query results. See
     [group and visualize queries](#group-and-visualize-queries) for information about
     how to pin logs.

   * **Query box**: Use the [query syntax](/investigate/querying/query-logs/query-syntax)
     to enter the key you want to query on. The autocomplete syntax suggests
     operators and matching values for keys you enter as you type to help you
     construct your query.

     ```text theme={null}
     severity = "ERROR" AND service = "nginx"
     ```

     <Note>
       If you're unsure what syntax to use, click in the query box and press
       `Control+Space` to display values for a key or available operators.
     </Note>

   * **Attributes**: After expanding an individual log, click any key or value to
     display a menu with the following options:

     * **Add field to summary**: Include the selected key or value in the **Summary**
       column of the individual log results.
     * **Add field as column**: Adds the selected field as a column in the query
       results.
     * **Add to group and visualize**: Adds the selected key or value to the query
       box as a [`summarize`](/investigate/querying/query-logs/query-syntax#summarize)
       query, and selects a visualization that best matches the data type.
     * **Show matching logs**: Return logs containing only the selected key or value.
     * **Hide matching logs**: Return logs that don't contain the selected key
       or value.
     * **Copy field name**: Copy the selected key or value.

4. To submit your query, either click **<Icon icon="refresh-cw" />Run** or press
   `Control+Enter` (`Command+Return` on macOS).

5. Expand your query by either adding additional key/value pairs or entering a
   full-text string such as `"failed query token"` to find logs that contain the
   expression anywhere in the log. For example:

   ```text theme={null}
   severity = "ERROR" and service = "gateway" AND "failed query token"
   ```

   <Note>
     The operators `AND` plus `OR` are case insensitive, so you can use `AND`,
     `and`, `OR`, and `or` interchangeably.
   </Note>

6. To display an AI summary of a log, click **Summarize log**.

7. As you refine your filter, click and select a portion of the time chart to zoom in
   to view a smaller time window.

The results update to include only logs that contain the key/value pairs you enter.

## Filter data with advanced queries

If you know details about the log you're searching for, or are carrying context to
Logs Explorer from a [services page](/observe/services/service-pages), use the
[query syntax](/investigate/querying/query-logs/query-syntax) to construct your query.

For example, if you know there's an issue with the `gateway` service in your
production environment, create a query to help you locate which Kubernetes cluster is
experiencing issues.

To use advanced filtering:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.

2. In the query box, construct a query to include any logs with `ERROR` as the
   `severity` for the `gateway` service:

   ```text theme={null}
   service = "gateway" AND severity = "ERROR"
   ```

   The results include 8,700 logs.

3. To submit your query, click **<Icon icon="refresh-cw" />Run** or press
   `Control+Enter` (`Command+Return` on macOS).

   You notice that several logs in the results contain `"Failed to query user by token"`
   in the **Summary** column.

4. Add a full-text string to your search to narrow the scope of your query, and then
   click **<Icon icon="refresh-cw" />Run**:

   ```text theme={null}
   service = "gateway" AND severity = "ERROR" AND "failed to query user by token"
   ```

   The results include 5,400 logs, which is fewer, but still too many.

   In the sidebar, you notice that 75% of the results are for the
   `production-east` Kubernetes cluster.

5. In the sidebar, click `production-east` and then click **Show matching logs**.
   Observability Platform adds the selected key/value to your query:

   ```text theme={null}
   service = "gateway" AND severity = "ERROR" AND "failed to query user by token"
   AND kubernetes.cluster = "production-east"
   ```

   The results include 4,000 logs. To reduce scope, begin drilling in to individual logs.

6. Expand individual logs to find commonalities across the data. You realize that the
   same Kubernetes pod is included in many of the logs, so you add that key/value
   pair to your filter:

   ```text theme={null}
   service = "gateway" AND severity = "ERROR" AND "failed to query user by token"
   AND kubernetes.cluster = "production-east"
   AND kubernetes.pod_name = "gateway-6agg9df321-o89ef"
   ```

   The results include less than 700 logs, which is 8,000 fewer than your initial
   query.

You identified the individual Kubernetes pod containing the majority of errors for
the `gateway` service so you can inform your team and begin fixing the issue.

## Generate queries from natural language prompts

Chronosphere Observability Platform provides
[generative artificial intelligence](/overview/generative-ai) (AI) tools to generate
queries from natural language prompts. Using natural language, you write what you
want Observability Platform to query, and Observability Platform generates the query
that returns relevant data.

You can generate and refine queries from natural language prompts in Logs Explorer.
Text entry fields that support natural language prompts include an **Edit with AI**
button. To manually edit the generated query, see
[Filter data with basic queries](#filter-data-with-basic-queries).

For more information on how to generate and refine queries with AI, see
[Generate queries using natural language](/investigate/querying/natural-language).

<Warning>
  Generative AI features can produce incorrect results, hallucinate data, and deliver
  inaccurate analysis. Use generative AI features with care, and independently verify
  all information produced by generative AI tools before applying it.

  Certain prompts, data, or other inputs might produce irrelevant content. Don't rely on
  generative AI features or responses for any uses that exceed their designed scope.
</Warning>

## Group and visualize queries

When exploring log data, you might want to group logs by one or more fields. This
capability helps to answer questions such as,
*What are the error rates across environments for my service?*.

Observability Platform lets you group logs and visualize the results within Logs
Explorer. You can explicitly use the
[`summarize`](/investigate/querying/query-logs/query-syntax) operator in a query,
select a key or value in the sidebar, or choose attributes in an individual log to
group your query results by.

To group and visualize query results:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.

2. Select a field or value to group by, or create a query with the `summarize`
   operator:

   * **Sidebar**: In the sidebar list of fields, expand the key you want to group by,
     hover the pointer over a value, click the <Icon icon="ellipsis-vertical" /> three
     vertical dots icon, and then click **Add to group and visualize**.

   * **Attributes**: Expand an individual log, click any key or value, and then click
     **Add to group and visualize**.

   * **Query box**: Use the [query syntax](/investigate/querying/query-logs/query-syntax)
     to create a query that includes the `summarize` operator. For example, the
     following query searches for logs in a Kubernetes cluster in
     `production-us-west` that contain errors, and then groups the results by
     `service` and `environment`:

     ```text theme={null}
     severity = "ERROR"
     AND kubernetes.cluster_name = "production-us-west"
     | summarize by service, environment
     ```

     Logs Explorer inserts the key or value you selected into a `summarize`
     query and visualizes the results.

3. To display results with a different visualization, select one of the
   [available options](#visualization-options). When you select an option, the query
   text is rewritten to match the operator that the visualization requires:

   * Selecting **Bar chart**, **Pie chart**, **Table** or **Stat** appends the
     [`summarize`](/investigate/querying/query-logs/query-syntax#summarize) operator to
     your query.
   * Selecting **List** or **Patterns** strips all aggregation
     [operators](/investigate/querying/query-logs/query-syntax#operators) from your
     query to produce the intended visualization.

   When using a chart, see [common panel elements](/observe/dashboards/panels#common-panel-elements)
   for an explanation of the available tools in the <Icon icon="ellipsis-vertical" />
   three vertical dots menu.

If the results include interesting logs that you want to keep, you can pin those logs
to the top of the query results. Hover the pointer over the log you're interested in
and click the **<Icon icon="pin" /> pin icon**. The log is pinned to the top of
the query results and persists across queries. You can change the time range and
modify your query without losing pinned query results.

### Visualization options

The following visualization options are available in Logs Explorer to change how your
query results display.

| Option         | Displayed visualization                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **List**       | Shows individual log lines in a scrollable, paginated table ordered by timestamp. Each row is a single log event with expandable details.                                                                                                                                                                                                                                                                                                                                                                                          |
| **Time chart** | Displays a line chart with time on the x-axis, showing how a metric (such as `count()`) changes over the selected time range, optionally grouped by a `by` field into multiple series.                                                                                                                                                                                                                                                                                                                                             |
| **Bar chart**  | Displays horizontal or vertical bars, where each bar represents a group (from the `by` clause) and bar length represents the aggregated value (such as count per service). Limited to 100 bars.                                                                                                                                                                                                                                                                                                                                    |
| **Pie chart**  | Produces a pie chart showing the proportional breakdown of an aggregated value across groups, with percentage and absolute value labels.                                                                                                                                                                                                                                                                                                                                                                                           |
| **Table**      | Displays a columnar table of aggregated results displaying one row per unique combination of `by` fields, with columns for each computed metric. Supports sorting and CSV export. Returns the top 100 results by default. To return more results, include the [`limit`](/investigate/querying/query-logs/query-syntax#limit) operator and specify the number of results to return.                                                                                                                                                 |
| **Stat**       | Shows large single-number tiles, displaying one per group. Ideal for Key Performance Indicators (KPIs) like total error count or request volume per service.                                                                                                                                                                                                                                                                                                                                                                       |
| **Patterns**   | Groups log messages by structural similarity, showing a [log usage pattern](/investigate/analyze/logs-usage), the count of matching logs, and a filter expression to drill into. The displayed patterns are based on available results from the current query in Logs Explorer. To use the pattern in a query, click a pattern and then choose one of these options: <br /><br /> - **Show matching logs** returns all logs that match the pattern. <br /> - **Hide matching logs** returns all logs that don't match the pattern. |

## Save and share queries

You can save queries that you run frequently, capture query results in a dashboard
or notebook, and share links to queries or individual logs to help focus results when
investigating issues.

### Access recent and saved queries

When investigating issues, you might use the same query frequently. Rather than
redefining the query, use recent and saved queries to access previously defined
queries in Observability Platform. You can apply a fully defined query from a
previous time period by clicking a query from the **Examples** tab.

Recent query are available globally to all users in Observability Platform and
persist for 14 days.

To access recent and saved queries:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.
2. Click **<Icon icon="text-align-start" /> View queries** to display all available queries.
3. Click either the **My recent queries** tab or the **Saved queries** tab to display
   the queries you want to view.
4. Locate the query you want to apply and click it.

The parameters in the query override any parameters in the query box.

### Save a query

You can save queries that you access frequently so they're always available in
Observability Platform. Saved queries are like bookmarks you can reference when you
need them.

To save a query:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.

2. In the query box, [construct your query](#basic-querying). The **Save query**
   button is unavailable until you run your query.

3. Click **<Icon icon="refresh-cw" />Run** to run your query.

4. Optional: To include summary fields and columns in your saved query, click the
   <Icon icon="ellipsis-vertical" /> three vertical dots icon and select from the
   following options:

   * **Add field to summary**: Include the selected key or value in the **Summary**
     column of the individual log results.
   * **Add field as column**: Adds the selected field as a column in the query
     results.

5. Click **Save query** to save your query.

6. In the **Queries** window, enter a name for your query.

7. If you added fields to the **Summary** column or added a field as a column in the
   query results, enable the **Include summary fields and columns** toggle to include
   those selections in the saved query.

8. Click **Save** to save your query.

Your query displays in the **Saved queries** tab of the **Queries** window. You can
[access your saved queries](#access-recent-and-saved-queries) and apply them at any
time.

### Add query results to a dashboard or notebook

To capture the current query state, including the visualization and time range, use
the page actions above the query results. **Add to dashboard** and **Add to notebook**
are disabled until the query field contains text.

* Click **Add to dashboard** to add the current visualization as a panel on a
  dashboard. For the target dashboard and panel group selection flow, see
  [Copy a panel to a dashboard](/observe/dashboards/panels#copy-a-panel-to-a-dashboard).
* Click **Add to notebook** to add a log volume histogram and a panel that matches
  the selected visualization. See [From Logs Explorer](/navigate/notebooks#from-logs-explorer),
  and [Share a notebook](/navigate/notebooks#share-a-notebook) to give teammates
  access to the same captured state.

### Share a URL to a query

When investigating issues, you might want to share a defined query with other users,
or include a URL to a defined query in monitor annotations, runbooks, or other
on-call tools. Logs Explorer lets you copy a short URL to a defined query using
either a relative or absolute time range.

Relative time can help you understand the results of a query in a past period of
time relative to the current time, such as in the past 30 minutes. Absolute time is
better suited for comparing results across a fixed point in time, such as the results
of a query from last Monday at 8:00 AM versus that same query run today.

To copy a URL to a defined query:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.
2. [Construct a query](#basic-querying) that returns the log data you want to
   view.
3. In the main header next to **Logs Explorer**, click
   <Icon icon="link-2" /> **Copy URL** and choose type of time range to use for the URL:

   * **Copy with absolute time range**: Create a link that runs a query against the
     date and time interval from when you copied the link. For example, if your query
     uses `1h` as the time interval, the time range is exactly one hour ago, based on
     the date and time you ran the query.

   * **Copy with relative time range**: Create a link that runs a query against the
     current time. For example, if your query uses `1h` as the time interval, the
     time range is exactly one hour ago from the current time.

The URL is copied to your clipboard based on your selection.

### Share a URL to a specific log

When troubleshooting issues, you might want to share a link to a specific log with
other users, rather than to a [defined query](#share-a-url-to-a-query).

To copy a URL to a specific log:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.
2. [Construct a query](#basic-querying) that returns the log data you want to view.
3. Expand an individual log you want to share, and then click <Icon icon="link-2" />
   **Copy URL** to copy a URL to the selected log.

The URL is compressed to a short URL and copied to your clipboard. When another user
opens this URL, the results in Logs Explorer focus on the selected log only.

### Download logs

You can download logs from Logs Explorer with or without defining a
[search query](#basic-querying). Each download includes up to 10,000 logs, and each log
includes the `timestamp` and `_payload` fields.

To customize columns and rows in the downloaded data, use the
[`project`](/investigate/querying/query-logs/query-syntax#project) operator in a
query to display results in tabular format. To customize the tabular data and
complete aggregations in your query, use the
[`summarize`](/investigate/querying/query-logs/query-syntax#summarize) operator. Make
changes as needed, and then download the data.

To download logs:

1. In the navigation menu select
   **<Icon icon="compass" /> Explorers <span aria-label="and then">></span> Logs Explorer**.
2. Optional: [Construct a query](#basic-querying) that returns the log data you want
   to view.
3. In the logs **Summary**, click the <Icon icon="ellipsis-vertical" /> three
   vertical dots icon, and then click **Download logs**.
4. Select the format for the data you want to download, then click **Download logs**.
