Skip to main content
Sumo Logic

1.1 You want to see only error messages

Problem

A log, such as an Apache access log, contains thousands of messages. You want to see only messages that indicate errors.

Solution

The simplest query, a keyword expression search, can find log messages that contain a word like "error" and thereby ignore messages that are not related to errors. Use the search to find all messages containing the word error:

error

To find messages that contain error, fail, fails, or failure, use this search:

fail* OR error

Discussion

Searching for more than one word will only find log messages that contain both words. For example, this query will report messages that have both "fail" AND "error":

fail error

Because of this, adding more words to a simple search will select fewer and fewer log messages. A multi-term query using OR, such as "fail OR error OR deny," will match more log messages.

To find messages containing any string of characters, use a keyword expression search. Use the "*" wildcard character to find word fragments.

A keyword search must come first, but you can add operators after it. For example, this will sort results by the time the log message was received:

fail* OR error | sort by _messageTime