Build basic queries in the Legacy Logs Viewer

This guide shows you how to query log entries by label or text search in the Legacy Logs Viewer basic query interface. For more advanced logs querying options using the Logs Explorer, see Build queries in the Logs Explorer.

Getting started with basic queries

To get started using basic queries in the Legacy Logs Viewer:

  1. Go to the Logging > Logs Explorer page in the Cloud Console.

  2. Select Go back to the Legacy Logs Viewer from the Options drop-down menu.

    Select "Go back to the Legacy Logs Viewer"

  3. Select an existing Google Cloud project at the top of the page.

  4. Using the drop-down menu , select the resource whose logs you want to view.

The following screenshot shows the basic query interface. Four log entries from an App Engine application are shown. The second entry has been expanded by clicking its expander arrow

The user interface showing the basic logs queries options.

The basic query interface has the following major components—indicated by red numbers in the screenshot—some of which are shared with the advanced query interface:

  1. The window tabs let you choose Logs (Legacy Logs Viewer), Metrics (see Logs-based metrics), Exports (see Exporting logs), and Logs ingestion (see Logs exclusions).
  2. The search-query box in the basic logs query interface lets you query log entries by label or text search. The basic query interface is shown, and the drop-down menu lets you switch to the advanced query interface or get a link to your query. Log queries are labelled as "filters" in the user interface, since they let you select a particular set of log entries.
  3. The basic selector menus lets you choose resources, logs, and severity levels to display:

    • Resources: The resources available in your current project.
    • Logs: The log types available for the current resources in your project.
    • Log severity: The log severity levels.
  4. The time-range selector drop-down menus let you query for specific dates and times in the logs.

  5. The streaming selector, at the top of the page, controls whether new log entries are displayed as they arrive.

  6. The log-entry table contains the log entries available according to your current queries and custom fields.

  7. The expander arrow in front of each log entry lets you look at the full contents of the entry. For more information, go to expand log entries on this page.

  8. The View Options menu has additional display options.

  9. The Download logs menu lets you download a set of log entries.

  10. The More options displayed with each log entry let you place a pin on the log entry, show the log entry in its resource context, and copy a URL for the log entry to the clipboard.

Lastly, the Legacy Logs Viewer uses the cursor position to highlight the associated log entry and to place a push pin (📌) symbol next to the More options.

Basic searches

In the basic query interface, enter your text in the search-query box and select ENTER. The search returns all log entries that include your search term(s) anywhere, in any field (except timestamp), and in any letter case. The word text: that the Legacy Logs Viewer adds before your search term(s) indicates that this is an "all fields" search.

Following are some common searches, and some that don't do what you expect.

Common basic search examples

Unicorn (text:Unicorn)

Finds all log entries containing unicorn, in any field and in any letter case.

unicorn phoenix (text:unicorn text:phoenix)

Finds all log entries containing unicorn or phoenix, in the same or different field(s). If you want log entries that contain both terms, use the advanced query interface.

"unicorn phoenix" (text:"unicorn phoenix")

Finds all log entries containing unicorn and phoenix in the same field, in any letter case, separated by exactly one space. The basic logs query interface doesn't support searching for "unicorn and phoenix" anywhere in the same field, but the advanced query interface does.

-unicorn (-text:unicorn)

Finds all log entries containing unicorn in any field and in any letter case, and excludes them from your displayed entries. The basic logs query interface doesn't support searching for "-unicorn and -phoenix" in the same or different field(s), but the advanced logs query interface does.

2345 (text:2345)

Finds all log entries containing the string 2345. Numbers within log entries are generally represented as strings, so this matches, for example, 123456.

Searches that don't do what you expect

uni* (text:uni*)
This isn't a regular expression wildcard search. This search finds all log entries containing the 4-character string "uni*". Note that the basic query interface doesn't support regular expression searches and you cannot apply special wildcard characters such as * or ?. To use regular expressions in the advanced query interface, see Querying entries using regular expressions.
2017-02-05 (text:2017-02-05)
This doesn't match log entry timestamps. This search finds all log entries containing the string 2017-02-05 in any field except timestamp. If your log entries contain date strings in their payload or in other fields, then you can search for them. You can also use the Jump to date menu. The advanced logs queries interface lets you use searches that specify a range of timestamps.
200..299 (text:200..299)
This doesn't match 250. The basic query interface search finds log entries containing the 8-character string "200..299". This range notation is only allowed in searches restricted to integer fields. Go to Searching specific fields on this page.
unicorn NOT phoenix (text:unicorn text:NOT text:phoenix)
unicorn OR phoenix (text:unicorn text:OR text:phoenix)
These aren't Boolean text searches, as including Boolean operators (AND, OR, NOT or AND NOT) isn't supported for text searches in the basic logs query. If you include multiple text search terms, the terms are implicitly connected by or. In lieu of the Boolean NOT operator, you can use the - (minus) operator. For details, see Common basic search examples on this page.

Searching specific fields

You can restrict your search to a specific field by adding the field name and a colon in front of your search terms. The field name replaces text: in all-field searches. As you type in the search-query box, you see a list of matching fields:

The search-query box showing matching fields.

In the following examples, status: is the integer HTTP status code and path: is the HTTP path in the request:

Finds log entries whose HTTP path contains query in any letter case; for example, /query or /App/Query/17.
Finds log entries that have a path field. This is a special use of the asterisk (*) character; it isn't generally treated as a special character.
View log entries with a status of (exactly) 200. The search doesn't match, for example, a status of 2000. Since status is known to be an integer field, the comparison is numeric.
Illegal, because status is known to contain an integer.
Finds log entries with an HTTP status of 400 through 499. Ranges are only available for fields known to contain integers. If you use a range for other fields, the range is interpreted as a single string containing . characters.
path:query unicorn
Finds log entries whose path fields contain query and that contain unicorn in any field. Because unicorn isn't preceded by a field name, it is as if you wrote text:unicorn. When you include search terms for different fields, or for fields and text:, the terms are implicitly connected with and.
path:query path:status
Finds log entries whose path field contains query or status. When you include multiple search terms for the same field, the terms are implicitly connected with or.
path:query status:200 path:status status:500..502
Finds log entries that have paths containing query or status, and that have status values of 200, 500, 501, or 502. In other words, or binds more tightly than and, and the order of search terms doesn't matter.


If you aren't sure why your search isn't working in the basic logs queries interface, briefly switch to the advanced query interface:

  1. Select Convert to advanced filter using the drop-down menu in the search-query box.

  2. Look at the search-query box to see if it is what you intended.

  3. Return to the basic query interface by using the browser's Back button. Selecting this option returns you to your previous selections in the basic query interface.

  4. If you identified unintended queries in step 2, you can change or clear them in the search-query box, the basic selector menu, or time-range selector menu.

Here are some other reasons you might not see all the log entries you expect:

  • You cannot see log entries that are older than the Logging retention period. See Logs retention periods for the logs retention period in effect.

  • During periods of heavy load there could be delays in sending logs to Logging or in receiving and displaying the logs.

  • The Legacy Logs Viewer doesn't show log entries that have timestamps in the future until the current time has "caught up" with them. This is an unusual situation, probably caused by a time skew in the application sending the logs.