Query Syntax

The Loguro filter bar is a mini human friendly query language and command executor. It handles simple text searches, structured field filters, time ranges, command-style analytics, platform commands like --download --download:list or --task:jira --send:slack#team ant many more — all in a single input.

Text search

Type anything to search across log messages:

message:"auth failed"

Global search

Search across message and all context values at once — useful when you don’t know which field contains the term:

search:"stripe"
search:timeout
search:"payment failed"|"checkout error"

Multiple terms are OR-ed together. Unlike message:, this also scans every key inside the context object.

Level filters

Filter by one or more log levels:

level:error
level:error|warning
!level:debug

The | operator means OR. The ! prefix negates (exclude that level).

Message filters

Match against the message field. Multiple terms are OR-ed together:

message:"timeout"
message:"db error"|"cache miss"
!message:"healthcheck"

Trace ID

Find all logs belonging to a distributed trace:

trace:"abc123def456"
trace:"id1"|"id2"
!trace:"abc123"

Context filters

Any key inside the context object is filterable using dot notation:

context.userId:42
context.env:"production"
context.gateway:"stripe"
!context.env:"staging"

For context keys that contain dots, use bracket notation:

context.svc["k.with.dot"]:value

Comparison operators

Context filters accept comparison operators for numeric or relative matches:

context.duration:>500
context.status:>=400
context.retryCount:<3
context.code:!=200

Operators: = (default), !=, >, <, >=, <=. Numeric values are auto-cast — 9 > 100 won’t lexically misbehave.

Array elements

Index into an array by position with [N], or match any element with [*]:

context.items[0].name:"foo"
context.attributes[*].key:"service.name"
context.spans[*].duration:>500

[*] matches if any element in that array satisfies the comparison. Works with =, !=, and numeric operators (>, <, >=, <=).

Stringified JSON values

Some logs contain JSON inside a string field (e.g. an OTel payload sent as context.json). Use :: to mark the boundary where the engine should re-parse:

context.json::resourceLogs[*].resource.attributes[*].key:"service.name"

Each :: adds one extra JSON unwrap. The segment before :: cannot itself use [*] (you can’t reparse multiple strings at once).

Tip: clicking the + icon next to a value in the right-side context panel auto-builds the correct filter — including [*] for arrays and :: for stringified JSON boundaries.

Time ranges

Use shorthand labels for common windows:

@today
@last-24h
@last-7d
@last-1h

Or specify explicit boundaries:

from:2026-01-01 with time: from:2026-01-01:10:05 to:2026-01-01:15:30
to:2026-03-31
from:2026-01-01 to:2026-03-31
from:"3 days ago" to:"yesterday at 10:00"

Excluding time ranges

Negate any time form with ! to exclude that window from results:

!@yesterday
!@last-1h
!from:"2 days ago"
!to:2026-01-15

Pagination

Page through large result sets:

show:100
page:3
show:50 page:2

show is per-page (default 50); page is 1-indexed.

Command flags

Commands start with -- and trigger analytics or actions.

Count

--count

Shows the total number of logs matching your current filters.

Presets

Quick level presets expand to the full filter:

--errors
--warn
--debug
--info
--critical

Time presets:

--today
--last-1h
--last-7d

Top values

Find the most common values for any field:

--top:level
--top:context.status
--top:context.gateway

Unique values

Count distinct values for a field:

--unique:context.userId
--unique:context.region

Slow requests

Find logs where context.duration exceeds a threshold (default 1000ms):

--slow
--slow:500

Rate

Display log rate over time (logs per minute):

--rate

Sample

Randomly pick N logs from the matching result set:

--sample
--sample:25

Memory

Switch the log source to forever memory — logs saved when creating issues, which survive your plan’s retention window:

--memory
message:"payment failed" --memory
--memory --count

See Memory & Forever Logs for details.

Download

Export matching logs as a file:

--download
--download:csv
--download:list

Downloads default to Parquet format. --download:csv enforces CSV output. Add :Nh to set expiry hours (default 24):

--download:48h
--download:csv:72h

Severity

Show the level distribution widget for the current filter set:

--severity

Diff

Compare patterns between two time ranges. Accepts one or two baselines:

--diff:yesterday
--diff:2-days-ago:yesterday
--diff:yesterday:sensitivity=high
--diff:last-7d:spike=200:drop=50

Returns new patterns, spikes, drops, and steady patterns relative to the baseline. Sensitivity tunes the threshold; spike=N/drop=N set explicit percentage cutoffs.

Grouping

Pattern grouping is on by default — similar logs collapse into a single row with a count. Override per query, or save the override as the project’s default:

--no-group
--no-group:save
--group:save

Investigated logs

Filter to only logs that have an AI investigation attached:

--investigate:list
level:error --investigate:list

Separate message JSON

Some apps log a JSON payload as the message string. Extract it into the context tree for filtering:

--separate::message
--separate::message:save
--no-separate::message

Replay

Replay the matching logs as a live stream for the selected time range:

--replay
--replay:2x
--replay:0.5x

Live stream

Toggle the WebSocket live tail for the current view:

--live
--live:on
--live:off

Timeline & chart

Visualize log volume over time:

--timeline
--chart

Combining filters

All filters compose with AND semantics by default. The following finds error logs from Stripe in the last 24 hours:

level:error context.gateway:stripe @last-24h --count

Add --top:context.errorCode to see which error codes are most common:

level:error context.gateway:stripe @last-24h --top:context.errorCode

Saved views

Save any filter query as a named view from the bookmark icon in the filter bar. Use #slug to expand a saved view inline:

#stripe-errors

Or reference it explicitly:

--view:stripe-errors

To save a view you can write your filters and include the save command.

level:error context.gateway:stripe @last-24h --save:<name>

Pipe chains

Use > to chain two commands in sequence. The left side executes first, then the right side runs with its result.

--project::create > --keys::create:prod

This creates a new project, then immediately creates an API key named prod scoped to it.

--task:linear > --send:discord

Creates a Linear issue from the current log context, then sends a Discord notification.

Chains are evaluated left-to-right. The > operator passes context between commands — the right side receives the output of the left.

// related

See also

features

Saved Views

Save and reuse filter queries as named views across your project.

features/saved-views
tui

Search & filtering

The TUI filter bar uses the same query language as the web console.

tui/search
cli

Commands overview

Every loguro subcommand grouped by purpose, with a one-line summary.

cli/commands
cli

Querying logs

Filter, tail, count, and search your logs from the terminal.

cli/querying