Sample queries using Logs Viewer (Preview)

This page provides you with suggested queries to make it easier to find important logs using the Logs Viewer (Preview) in the Google Cloud Console.

All listed queries can be applied in the Logs Viewer (both Classic and Preview versions), the Logging API, or the command-line interface, but this page focuses on using the queries in the Logs Viewer (Preview).

The Logs Viewer uses Boolean expressions to specify a subset of all the log entries in your project. You can use these queries to choose log entries from specific logs or log services, or that satisfy conditions on metadata or user-defined fields. For more information about querying, go to Building queries.

Getting started

To navigate to the Logs Viewer (Preview), do the following:

Go to the Google Cloud navigation menu and select Logging > Logs Viewer:
Go to the Logs Viewer
Select a Google Cloud project.
From the version-picker menu, switch the Logs Viewer version from Classic to Preview the new Logs Viewer.

You're now in Logs Viewer (Preview).

Using the sample queries

To apply a query from the following tables, copy an expression by clicking the clipboard icon at the end of any expression's row and then paste the copied expression into the Query builder text box:

The query builder text box is showing where to enter a query

After you enter your expression, click Run query. Logs that match your query are listed under Query results.

Some of the queries listed later on this page include variables (indicated by brackets []) that you should replace with valid values. For example, when a query includes logName, then the [PROJECT_ID] you supply must refer to the currently selected Google Cloud project; otherwise, the query won't work. For more information, go to Troubleshooting.

Tip: You can use the log_id function for queries with a log_name expression. For example, the expression log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access is the same as log_id("cloudaudit.googleapis.com/data_access"). For more information on the log_id function, go to the Functions section on the Logging query language page.

The following sections group queries by Google Cloud services.

App Engine queries

Filter name	Expression
App Engine logs from New Year's Eve (in UTC time)	resource.type="gae_app" AND severity>=ERROR AND timestamp>="2018-12-31T00:00:00Z" AND timestamp<="2019-01-01T00:00:00Z"
App Engine request logs with server errors	resource.type="gae_app" AND log_name="projects/`[PROJECT_ID]`/logs/appengine.googleapis.com%2Frequest_log" AND http_request.status>=500
Sampled HTTP error logs	resource.type="gae_app" AND proto_payload.status >= 400 AND sample(insertId, 0.1)
Search for App Engine trace ID	resource.type="gae_app" AND trace="projects/`[PROJECT_ID]`/traces/`[TRACE_ID]`"

BigQuery queries

Filter name	Expression
BigQuery audit logs	resource.type="bigquery_resource" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com"
BigQuery data transfer service jobs	resource.type="bigquery_resource" AND proto_payload.request_metadata.caller_supplied_user_agent="BigQuery Data Transfer Service" AND proto_payload.method_name="jobservice.insert"
BigQuery dataset updates	resource.type="bigquery_resource" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name="datasetservice.update"
BigQuery jobs completed	resource.type="bigquery_resource" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Fdata_access" AND proto_payload.method_name="jobservice.jobcompleted"
BigQuery large queries	resource.type="bigquery_resource" AND proto_payload.method_name="jobservice.jobcompleted" AND proto_payload.service_data.job_completed_event.job.job_statistics.total_billed_bytes>1073741824
BigQuery quota exceeded	resource.type="bigquery_resource" AND proto_payload.status.code=8 AND severity>=WARNING
BigQuery query started	resource.type="bigquery_resource" AND proto_payload.method_name="jobservice.insert"

Dataflow queries

Filter name	Expression
Errors and warnings in Dataflow workers	resource.type="dataflow_step" AND log_name="projects/`[PROJECT_ID]`/logs/dataflow.googleapis.com%2Fworker" AND severity>=WARNING

Dataproc queries

Filter name	Expression
Dataproc Apache Hadoop logs	resource.type="cloud_dataproc_cluster" AND json_payload.class:"org.apache.hadoop.mapreduce"

Cloud Deployment Manager

Filter name	Expression
Deployment Manager errors	resource.type="deployment" AND severity>=ERROR

Cloud Functions queries

Filter name	Expression
Cloud function errors	resource.type="cloud_function" AND log_name="projects/`[PROJECT_ID]`/logs/cloudfunctions.googleapis.com%2Fcloud-functions" AND severity>=ERROR

Cloud Identity and Access Management queries

Filter name	Expression
Service account creation logs	resource.type="service_account" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name="google.iam.admin.v1.CreateServiceAccount"
Service account creation key logs	resource.type="service_account" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name="google.iam.admin.v1.CreateServiceAccountKey"
Set access control policy logs	resource.type="project" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name="SetIamPolicy"
External member granted access to organization	resource.type="project" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND proto_payload.request.@type:"IamPolicy" AND proto_payload.service_data.policy_delta.binding_deltas.member:* AND NOT proto_payload.service_data.policy_delta.binding_deltas.member:"@`[DOMAIN_NAME]`.com"

Cloud Source Repositories queries

Filter name	Expression
Cloud Source Repository logs	resource.type="csr_repository" AND resource.labels.name="`[REPOSITORY_NAME]`"

Cloud Spanner queries

Filter name	Expression
Cloud Spanner logs for a specific spanner instance	resource.type="spanner_instance" AND resource.labels.instance_id="`[SPANNER_INSTANCE]`"

Cloud SQL queries

Filter name	Expression
Cloud SQL audit logs	resource.type="cloudsql_database" AND resource.labels.database_id="`[DATABASE_ID]`" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity"
Cloud SQL MySQL error logs	resource.type="cloudsql_database" AND log_name="projects/`[PROJECT_ID]`/logs/cloudsql.googleapis.com%2Fmysql.err"
Cloud SQL MySQL-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="`[DATABASE_ID]`" AND log_name="projects/`[PROJECT_ID]`/logs/cloudsql.googleapis.com%2Fmysql"
Cloud SQL Postgres-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="`[DATABASE_ID]`" AND log_name="projects/`[PROJECT_ID]`/logs/cloudsql.googleapis.com%2Fpostgres.log"

Compute Engine queries

Filter name	Expression
Google Compute Engine Admin Activity logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity"
Google Compute Engine firewall rule deletion	resource.type="gce_firewall_rule" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name:"firewalls.delete"
Google Compute Engine legacy activity logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Factivity_log"
Google Compute Engine VM syslogs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/syslog"

Cloud Storage queries

Filter name	Expression
GCS bucket logs	resource.type="gcs_bucket" AND resource.labels.bucket_name="`[BUCKET_NAME]`"
GCS bucket audit logs	resource.type="gcs_bucket" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com"
GCS bucket creation logs	resource.type="gcs_bucket" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name="storage.buckets.create"
GCS bucket deletion logs	resource.type="gcs_bucket" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name="storage.buckets.delete"

Cloud Tasks queries

Filter name	Expression
Cloud Tasks queue logs	resource.type="cloud_tasks_queue" AND resource.labels.queue_id="`[QUEUE_ID]`"

Kubernetes-related queries

For examples of Admin Activity audit log queries, see those provided on the GKE Accessing audit logs page.

Cluster-level queries

Filter name	Expression
Google Kubernetes Engine cluster operations	resource.type="gke_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity"
Google Kubernetes Engine cluster creation	resource.type="gke_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.method_name="google.container.v1.ClusterManager.CreateCluster"
Kubernetes cluster deployment	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.method_name:"deployments"
Kubernetes cluster authentication failure	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.authentication_info.principal_email="system:anonymous"
Kubernetes cluster write-requests to a secret	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.method_name="io.k8s.core.v1.secrets" NOT protoPayload.method_name="get" NOT protoPayload.method_name="list" NOT protoPayload.method_name="watch"
Kubernetes clusters in `us-central1-b`	resource.type="k8s_cluster" AND resource.labels.location="us-central1-b"
Kubernetes container guestbook logs	resource.type="k8s_container" AND resource.labels.cluster_name="guestbook"
Kubernetes pod requests from users	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.method_name:"io.k8s.core.v1.pods" AND protoPayload.authentication_info.principal_email="`[USER_EMAIL]`"
Kubernetes events	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/events"
Kubernetes Endpoints update	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.request.kind="Endpoints"
Kubernetes control plane logs	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="k8s.io"
Kubernetes Engine control plane logs	resource.type="k8s_cluster" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="container.googleapis.com"
Pod deletion	resource.type="k8s_cluster" AND protoPayload.methodName=~"io.k8s.core.v1.pods.(create\|delete)" log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity"
Query pod during creation	resource.type="k8s_pod" AND log_name="projects/`[PROJECT_ID]`/logs/events" AND resource.labels.pod_name=`"[POD_NAME]"`

Node-level queries

Filter name	Expression
Node events	resource.type="k8s_node" AND log_name="projects/`[PROJECT_ID]`/logs/events"
Looking at Kube-proxy logs	resource.type="k8s_node" AND log_name="projects/`[PROJECT_ID]`/logs/kube-proxy"
Looking at dockerd logs	resource.type="k8s_node" AND log_name="projects/`[PROJECT_ID]`/logs/container-runtime"
Looking at kubelet errors or failures	resource.type="k8s_node" AND log_name="projects/`[PROJECT_ID]`/logs/kubelet" AND jsonPayload.MESSAGE:("error" OR "fail")

Container queries

Filter name	Expression
Container error logs across all pods and containers in a cluster	resource.type="k8s_container" AND log_name="projects/`[PROJECT_ID]`/logs/stderr" AND severity=ERROR
Stdout container logs across all pods and containers in a cluster	resource.type="k8s_container" AND log_name="projects/`[PROJECT_ID]`/logs/stdout"
Container error logs for a pod with a specific name	resource.type="k8s_container" AND resource.labels.pod_name=`"[POD_NAME]"` AND severity=ERROR
Container error logs for a specific container in a specific pod	resource.type="k8s_container" AND resource.labels.pod_name=`"[POD_NAME]"` AND resource.labels.container_name="server" AND severity=ERROR
Container error logs for a specific namespace and container	resource.type="k8s_container" AND resource.labels.namespace_name="istio-system" AND resource.labels.container_name="egressgateway" AND severity=ERROR
Container logs for a pod with a specific label	resource.type="k8s_container" AND labels."k8s-pod/app"="loadgenerator" AND severity=ERROR
Container logs for a pod with a label generated using skaffold	resource.type="k8s_container" AND labels."k8s-pod/app"="loadgenerator" AND labels."k8s-pod/skaffold_dev/run-id"=`[SKAFFOLD_RUN_ID]` AND severity=ERROR
Container error logs for a specific pod containing a POST in the textPayload	resource.type="k8s_container" AND resource.labels.pod_name=`"[POD_NAME]"` AND textPayload:"POST" AND severity=ERROR
Container error logs for a specific pod containing a GET in the structured JSON	resource.type="k8s_container" AND resource.labels.pod_name=`"[POD_NAME]"` AND jsonPayload."http.req.method"="GET" AND severity=ERROR
Container errors logs in the kube-system namespace	resource.type="k8s_container" AND resource.labels.namespace_name="kube-system" AND severity=ERROR
Container error in the container insights log	resource.type="k8s_container" AND log_name="projects/`[PROJECT_ID]`/logs/clouderrorreporting.googleapis.com%2Finsights"

Logging agent application queries

Filter name	Expression
Apache logs	resource.type="gce_instance" AND (log_name:"/apache-access" OR log_name:"/apache-error")
Cassandra logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/cassandra"
Chef logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/chef-"
Gitlab logs	resource.type="gce_instance" log_name:"projects/`[PROJECT_ID]`/logs/gitlab-"
Jenkins logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/jenkins"
Jetty logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/jetty-"
Joomla logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/joomla"
Linux syslogs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/syslog"
Magneto logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/magneto-"
Mediawiki logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/mediawiki"
memcached logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/memcached"
MongoDB logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/mongodb"
MySQL logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/mysql"
Nginx logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/nginx-"
Postgresql logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/postgresql"
Puppet logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/puppet-"
RabbitMQ logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/rabbitmq-"
Redmine logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/redmine"
Salt logs	resource.type="gce_instance" AND log_name:"projects/`[PROJECT_ID]`/logs/salt-"
Slow MySQL queries	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/mysql-slow"
Solr logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/solr"
SugarCRM logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/sugarcrm"
Tomcat logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/tomcat"
Zookeeper logs	resource.type="gce_instance" AND log_name="projects/`[PROJECT_ID]`/logs/zookeeper"

Networking queries

Filter name	Expression
Firewall- all logs	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Ffirewall"
Firewall logs by country	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Ffirewall" AND json_payload.remote_location.country=`[COUNTRY_ISO_ALPHA_3]`
Firewall logs by VM	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Ffirewall" AND json_payload.instance.vm_name="`[INSTANCE_NAME]`"
Firewall subnet logs	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Ffirewall" AND resource.labels.subnetwork_name="`[SUBNET_NAME]`"
Compute Engine subnetwork traffic logs to a subnet	resource.type="gce_subnetwork" AND ip_in_net(json_payload.connection.dest_ip, "`[SUBNET_IP]`")
VPC Flow logs	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Fvpc_flows"
VPC Flow logs for specific port and protocol	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Fvpc_flows" AND json_payload.connection.src_port="`[PORT_ID]`" AND json_payload.connection.protocol="`[PROTOCOL]`"
VPC Flow logs for specific subnet	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Fvpc_flows" AND resource.labels.subnetwork_name"=`[SUBNET_NAME]`"
VPC Flow logs for specific subnet prefix	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Fvpc_flows" AND ip_in_net(json_payload.connection.dest_ip,`[SUBNET_IP]`)
VPC Flow logs for specific VMs	resource.type="gce_subnetwork" AND log_name="projects/`[PROJECT_ID]`/logs/compute.googleapis.com%2Fvpc_flows" AND json_payload.src_instance.vm_name="`[VM_NAME]`"
VPN gateway logs	resource.type="vpn_gateway" AND resource.labels.gateway_id="`[GATEWAY_ID]`"
HTTP Load Balancer 5xx errors	resource.type="http_load_balancer" AND http_request.status>=500
HTTP Load Balancer requests to PHPMyAdmin	resource.type="http_load_balancer" AND http_request.request_url:"phpmyadmin"

Security logging queries

Filter name	Expression
Audit logs- all	log_name:"projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com"
Audit logs- Access Transparency (AXT)	log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Faccess_transparency"
Audit logs- Admin Activity	log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity"
Audit logs- Data Access	log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Fdata_access"
Audit logs- System Event	log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Fsystem_event"

Google Cloud's operations suite queries

Filter name	Expression
Log sink activities	resource.type="logging_sink" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity"
Log-based metric create or update activities	resource.type="metric" AND log_name="projects/`[PROJECT_ID]`/logs/cloudaudit.googleapis.com%2Factivity" AND proto_payload.method_name:(UpdateLogMetric OR CreateLogMetric)
Uptime URL checks for a host	resource.type="uptime_url" AND resource.labels.host="`[URL]`"

Filter name

Expression

Log sink activities

resource.type="logging_sink" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"

Log-based metric create or update activities

resource.type="metric" AND
log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" AND
proto_payload.method_name:(UpdateLogMetric OR CreateLogMetric)

Uptime URL checks for a host

resource.type="uptime_url" AND
resource.labels.host="[URL]"

Troubleshooting

For more information about the query syntax and troubleshooting instructions, go to Building queries: Troubleshooting.

What's next

For more information about the query syntax, which you can use to customize these queries, review Building queries.