Sample queries

This document provides you with suggested queries to make it easier to find important logs using the Logs Explorer in the Google Cloud console. The listed queries are written in the Logging query language, and they can be used in the Logs Explorer, the Logging API, or the command-line interface.

The Logs Explorer uses Boolean expressions to specify a subset of all the log entries in your project. You can use these queries to choose log entries from specific logs or log services, or that satisfy conditions on metadata or user-defined fields.

Before you begin

Ensure that you have the correct Identity and Access Management permissions or roles for building queries using the Logs Explorer. For details on the necessary IAM permissions, see Permissions for the Google Cloud console.

Get started

In the Google Cloud console, go to the Logs Explorer page:
Go to Logs Explorer

If you use the search bar to find this page, then select the result whose subheading is Logging.
Select the appropriate Google Cloud project or other Google Cloud resource for which you want to view logs.

Use the sample queries

To apply a query from the following tables, click the Content Copy icon for the expression, and then paste the copied expression into the Logs Explorer query-editor field.

The following screenshot illustrates the query pane:

The query editor is showing where to enter a query

If you don't see the query-editor field, enable Show query.

After you review your query expression, click Run query. Logs that match your query are listed under Query results.

Some of the queries listed later on this page include variables that you should replace with valid values. For example, when a query includes logName, then the PROJECT_ID you supply must refer to the selected Google Cloud project; otherwise, the query won't work.

Note the following:

If you have a query with a timestamp, then the time-range selector is disabled, and the query uses the timestamp expression as its time-range restriction. If a query doesn't use a timestamp expression, then the query uses the time-range selector as its time-range restriction.
The length of a query can't exceed 20,000 characters.
The Logging query language is case-insensitive, with the exception of regular expressions.
You can use the log_id function for queries with a log_name expression. For example, the expression log_name="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access" is the same as log_id("cloudaudit.googleapis.com/data_access"). For more information about the log_id function, see Logging query language: Functions.

For instructions about querying in the Google Cloud console, see Build queries in the Logs Explorer.

The following sections group queries by Google Cloud services.

App Engine queries

Query/filter name	Expression
App Engine logs from New Year's Eve (in UTC time)	resource.type="gae_app" AND severity>=ERROR AND timestamp>="2018-12-31T00:00:00Z" AND timestamp<="2019-01-01T00:00:00Z"
App Engine request logs with server errors	resource.type="gae_app" AND log_id("appengine.googleapis.com/request_log") AND httpRequest.status>=500
Sampled HTTP error logs	resource.type="gae_app" AND protoPayload.status >= 400 AND sample(insertId, 0.1)
Search for App Engine trace ID	resource.type="gae_app" AND trace="projects/`PROJECT_ID`/traces/`TRACE_ID`"
App Engine logs	resource.type="gae_app" AND resource.labels.module_id="`MODULE_ID`" AND resource.labels.version_id="`VERSION_ID`"
Recent App Engine deployments	resource.type="gae_app" AND protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.serviceName="appengine.googleapis.com"

API enable and disable queries

Query/filter name	Expression
Audit API enable logs	protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.EnableService"
Audit API disable logs	protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.DisableService"

BigQuery queries

Query/filter name	Expression
BigQuery audit logs	resource.type=("bigquery_dataset" OR "bigquery_project") AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a project	resource.type="bigquery_project" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a dataset	resource.type="bigquery_dataset" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for BI Engine Model	resource.type="bigquery_biengine_model" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a Data Transfer Service Run.	resource.type="bigquery_dts_run" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a Data Transfer Service configuration.	resource.type="bigquery_dts_config" AND logName:"cloudaudit.googleapis.com"
BigQuery data transfer service jobs	resource.type=("bigquery_project") AND protoPayload.requestMetadata.callerSuppliedUserAgent= "BigQuery Data Transfer Service" AND protoPayload.methodName=("google.cloud.bigquery.v2.JobService.InsertJob" OR "google.cloud.bigquery.v2.JobService.Query")
BigQuery transfer run logs	resource.type="bigquery_dts_config" AND labels.run_id="`RUN_ID`" AND resource.labels.config_id="`CONFIG_ID`"
BigQuery dataset updates	resource.type="bigquery_dataset" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName= "google.cloud.bigquery.v2.DatasetService.UpdateDataset"
BigQuery jobs completed	resource.type="bigquery_project" AND log_id("cloudaudit.googleapis.com/data_access") AND protoPayload.methodName=("google.cloud.bigquery.v2.JobService.InsertJob" OR "google.cloud.bigquery.v2.JobService.Query")
BigQuery large queries	resource.type="bigquery_project" AND protoPayload.metadata.jobChange.job.jobStats.queryStats.totalBilledBytes > 1073741824
BigQuery quota exceeded	resource.type=("bigquery_dataset" OR "bigquery_project") AND protoPayload.status.code=8 AND severity>=WARNING
BigQuery query started	resource.type="bigquery_project" AND protoPayload.metadata.jobInsertion.reason:*
BigQuery concurrent load/extract jobs	resource.type="bigquery_resource" AND protoPayload.methodName="jobservice.insert" AND protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query: "extract"

Dataflow queries

Query/filter name	Expression
Errors and warnings in Dataflow workers	resource.type="dataflow_step" AND log_id("dataflow.googleapis.com/worker") AND severity>=WARNING

Dataproc queries

Query/filter name	Expression
Dataproc Apache Hadoop logs	resource.type="cloud_dataproc_cluster" AND jsonPayload.class:"org.apache.hadoop.mapreduce"

Cloud Deployment Manager

Query/filter name	Expression
Deployment Manager errors	resource.type="deployment" AND severity>=ERROR

Cloud Run functions queries

Query/filter name	Expression
Cloud function errors	resource.type="cloud_function" AND log_id("cloudfunctions.googleapis.com/cloud-functions") AND severity>=ERROR

Cloud Monitoring queries

Query/filter name	Expression
Show all notification channel errors	resource.type="stackdriver_notification_channel" AND severity>=ERROR
Show notification channel errors due to throttling	resource.type="stackdriver_notification_channel" AND severity>=ERROR AND jsonPayload.summary="Notification delivery throttled."
Show logs written by the uptime resource	resource.type="uptime_url"
Show requests received from the uptime-check service	"GoogleStackdriverMonitoring-UptimeChecks"

Cloud Run queries

Query/filter name	Expression
Cloud Run logs for a specific job	resource.type="cloud_run_job" AND resource.labels.service_name="`JOB_NAME`"
Cloud Run logs for a specific revision and service	resource.type="cloud_run_revision" AND resource.labels.service_name="`SERVICE_NAME`"

Cloud Source Repositories queries

Query/filter name	Expression
Cloud Source Repository logs	resource.type="csr_repository" AND resource.labels.name="`REPOSITORY_NAME`"

Spanner queries

Query/filter name	Expression
Cloud Spanner logs for a specific spanner instance	resource.type="spanner_instance" AND resource.labels.instance_id="`SPANNER_INSTANCE`"

Cloud SQL queries

Query/filter name	Expression
Cloud SQL audit logs	resource.type="cloudsql_database" AND resource.labels.database_id="`DATABASE_ID`" AND log_id("cloudaudit.googleapis.com/activity")
Cloud SQL MySQL error logs	resource.type="cloudsql_database" AND log_id("cloudsql.googleapis.com/mysql.err")
Cloud SQL MySQL-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="`DATABASE_ID`" AND log_id("cloudsql.googleapis.com/mysql")
Cloud SQL Postgres-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="`DATABASE_ID`" AND log_id("cloudsql.googleapis.com/postgres.log")
Cloud SQL SQL Server error logs	resource.type="cloudsql_database" AND log_id("cloudsql.googleapis.com/sqlserver.err")
Cloud SQL SQL Server-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="`DATABASE_ID`" AND log_id("cloudsql.googleapis.com/sqlagent.out")

Cloud Storage queries

Query/filter name	Expression
GCS bucket logs	resource.type="gcs_bucket" AND resource.labels.bucket_name="`BUCKET_NAME`"
GCS bucket audit logs	resource.type="gcs_bucket" AND logName:"cloudaudit.googleapis.com"
GCS bucket creation logs	resource.type="gcs_bucket" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.method_name="storage.buckets.create"
GCS bucket deletion logs	resource.type="gcs_bucket" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.method_name="storage.buckets.delete"

Cloud Tasks queries

Query/filter name	Expression
Cloud Tasks queue logs	resource.type="cloud_tasks_queue" AND resource.labels.queue_id="`QUEUE_ID`"

Compute Engine queries

Query/filter name	Expression
Compute Engine Admin Activity logs	resource.type="gce_instance" AND log_id("cloudaudit.googleapis.com/activity")
Compute Engine firewall rule deletion	resource.type="gce_firewall_rule" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"firewalls.delete"
Compute Engine VM syslogs	resource.type="gce_instance" AND log_id("syslog")
Compute Engine VM authlogs	resource.type="gce_instance" AND log_id("authlog")
Compute Engine Host Error	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName:"compute.instances.hostError" OR operation.producer:"compute.instances.hostError") log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="`INSTANCE_ID`" severity=INFO
Compute Engine Host Memory Alert	resource.type="gce_instance" AND protoPayload.serviceName="compute.googleapis.com" AND (jsonPayload.methodName:"compute.instances.host_event_notify" OR operation.producer:"compute.instances.host_event_notify") AND log_id("cloudaudit.googleapis.com/host_event_notify") AND resource.labels.instance_id="`INSTANCE_ID`" AND severity=CRITICAL
Compute Engine Host Migrated	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName: "compute.instances.migrateOnHostMaintenance" OR operation.producer: "compute.instances.migrateOnHostMaintenance") log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="`INSTANCE_ID`" severity=INFO
Compute Engine VM Terminated/Preempted	resource.type="gce_instance" protoPayload.methodName=~"compute\.instances\.(guestTerminate\|preempted)" log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="`INSTANCE_ID`"
Compute Engine VM terminated due to Scratch Disk Creation Failure	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName="compute.instances.scratchDiskCreationFailed" OR operation.producer: "compute.instances.scratchDiskCreationFailed) log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="`INSTANCE_ID`" severity=INFO
Compute Engine VM Instance Created	resource.type="gce_instance" protoPayload.methodName:"compute.instances.insert" log_id("cloudaudit.googleapis.com/activity") protoPayload.request.name="`INSTANCE_NAME`"
Compute Engine VM Instance Deleted with Name	resource.type="gce_instance" protoPayload.methodName:"compute.instances.delete" log_id("cloudaudit.googleapis.com/activity") protoPayload.resourceName:"`INSTANCE_NAME`"
Compute Engine VM Instance Deleted with ID	resource.type="gce_instance" protoPayload.methodName:"compute.instances.delete" log_id("cloudaudit.googleapis.com/activity") resource.labels.instance_id="`INSTANCE_ID`"
Compute Engine VM Instance Restarted	resource.type="gce_instance" protoPayload.methodName=~"compute\.instances\.( stop\|reset\|automaticRestart\|guestTerminate\| instanceManagerHaltForRestart)" (log_id("cloudaudit.googleapis.com/activity") OR log_id("cloudaudit.googleapis.com/system_event")) resource.labels.instance_id="`INSTANCE_ID`"
Compute Engine Shielded VM Boot Integrity Failure	resource.type="gce_instance" log_id("compute.googleapis.com/shielded_vm_integrity") jsonPayload.earlyBootReportEvent.policyEvaluationPassed="false" resource.labels.instance_id="`INSTANCE_ID`"
Compute Engine VM instance stopped by Guest OS	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName:"compute.instances.guestTerminate" OR operation.producer:"compute.instances.guestTerminate") log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="`INSTANCE_ID`" severity=INFO
Compute Engine Shielded VM boot file was blocked	resource.type="gce_instance" log_id("serialconsole.googleapis.com/serial_port_1_output") textPayload:("Security Violation") resource.labels.instance_id="`INSTANCE_ID`"
Persistent Disk Created	resource.type="gce_disk" AND protoPayload.methodName:"compute.disks.insert" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.resourceName: "`PERSISTENT_DISK_NAME`"
Nodes added in Sole Tenant Node	resource.type="gce_node_group" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName=~("compute.nodeGroups.addNodes" OR "compute.nodeGroups.insert") resource.labels.node_group_id="`NODE_GROUP_ID`" severity="INFO"
Autoscale events in Sole Tenant Node	resource.type="gce_node_group" log_id("cloudaudit.googleapis.com/system_event") protoPayload.methodName=~("compute.nodeGroups.deleteNodes" OR "compute.nodeGroups.addNodes") resource.labels.node_group_id="`NODE_GROUP_ID`"
Manual Snapshot Taken	resource.type="gce_snapshot" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"compute.snapshots.insert" protoPayload.resourceName:"`SNAPSHOT_NAME`"
Scheduled Snapshot Taken	resource.type="gce_disk" log_id("cloudaudit.googleapis.com/system_event") protoPayload.methodName="ScheduledSnapshots" protoPayload.response.operationType="createSnapshot" protoPayload.response.targetLink="`PERSISTENT_DISK_NAME`"
Snapshot Schedule Created	resource.type="gce_resource_policy" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"compute.resourcePolicies.insert" protoPayload.request.name="`SCHEDULE_NAME`"
Snapshot Schedule Attached	resource.type="gce_disk" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"compute.disks.addResourcePolicies" protoPayload.request.resourcePolicys:"`SCHEDULE_NAME`" protoPayload.resourceName:"`PERSISTENT_DISK_NAME`"
Quota Exceeded	resource.type="gce_instance" protoPayload.methodName:"compute.instances.insert" protoPayload.status.message:"QUOTA_EXCEEDED" severity=ERROR
Query unhealthy instances in instance group	resource.type="gce_instance_group" resource.labels.instance_group_name="`INSTANCE_GROUP_NAME"` jsonPayload.healthCheckProbeResult.healthState="UNHEALTHY"
Query instance group members within a time frame in UTC time format	resource.type="gce_instance_group_manager" resource.labels.instance_group_manager_name="`INSTANCE_GROUP_NAME`" jsonPayload.@type= "type.googleapis.com/compute.InstanceGroupManagerEvent" jsonPayload.instanceHealthStateChange.detailedHealthState="HEALTHY" timestamp >= `START_TIME` timestamp <= `END_TIME`
Instances removed from Instance Group	resource.type="gce_instance_group" protoPayload.methodName:"compute.instanceGroups.removeInstances" log_id("cloudaudit.googleapis.com/activity") resource.labels.instance_group_name="`INSTANCE_GROUP_NAME`"
Instance template set or updated	resource.type="gce_instance_group_manager" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName= "v1.compute.instanceGroupManagers.setInstanceTemplate" resource.labels.instance_group_manager_name="`INSTANCE_GROUP_MANAGER`"
Firewall rule deleted	resource.type="gce_firewall_rule" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"firewalls.delete"
Firewall logs	resource.type="gce_subnetwork" log_id("compute.googleapis.com/firewall") jsonPayload.instance.vm_name="`INSTANCE_NAME`"

Google Cloud Observability queries

Query/filter name	Expression
Log sink activities	resource.type="logging_sink" AND log_id("cloudaudit.googleapis.com/activity")
Log-based metric create or update activities	resource.type="metric" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:(UpdateLogMetric OR CreateLogMetric)
Uptime URL checks for a host	resource.type="uptime_url" AND resource.labels.host="`URL`"

Query/filter name

Expression

Log sink activities

resource.type="logging_sink" AND
log_id("cloudaudit.googleapis.com/activity")

Log-based metric create or update activities

resource.type="metric" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:(UpdateLogMetric OR CreateLogMetric)

Uptime URL checks for a host

resource.type="uptime_url" AND
resource.labels.host="URL"

Identity and Access Management queries

Query/filter name	Expression
Service account creation logs	resource.type="service_account" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="google.iam.admin.v1.CreateServiceAccount"
Service account creation key logs	resource.type="service_account" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"
Set access control policy logs	resource.type="project" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="SetIamPolicy"
External principal granted access to organization	resource.type="project" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.request.@type:"IamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.member:* AND NOT protoPayload.serviceData.policyDelta.bindingDeltas.member:"@`DOMAIN_NAME`.com"
Resource creation, modification, or deletion	log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:("create" OR "delete" OR "update")
Role granted to principal	log_id("cloudaudit.googleapis.com/activity") AND resource.type="project" AND protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.action="Add" AND protoPayload.serviceData.policyDelta.bindingDeltas.member:"`EMAIL_ID`"
Role removed from principal	log_id("cloudaudit.googleapis.com/activity") AND resource.type="project" AND protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.action="Remove" AND protoPayload.serviceData.policyDelta.bindingDeltas.member:"`EMAIL_ID`"
Permission updated in a custom role	log_id("cloudaudit.googleapis.com/activity") AND resource.type="iam_role" AND protoPayload.serviceName="iam.googleapis.com" AND protoPayload.methodName:"UpdateRole" AND resource.labels.role_name:"`ROLE_ID`"

Kubernetes-related queries

For an overview and examples of Admin Activity audit log queries, see those provided on the GKE Audit logging page.

Cluster-level queries

Query/filter name	Expression
Google Kubernetes Engine cluster operations	resource.type="gke_cluster" AND log_id("cloudaudit.googleapis.com/activity")
Google Kubernetes Engine cluster creation	resource.type="gke_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="google.container.v1.ClusterManager.CreateCluster"
Kubernetes cluster deployment	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"deployments"
Kubernetes cluster authentication failure	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.authenticationInfo.principalEmail="system:anonymous"
Kubernetes cluster operations and events in `us-central1-b`	resource.type="k8s_cluster" AND resource.labels.location="us-central1-b"
Kubernetes pod requests from users	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"io.k8s.core.v1.pods" AND protoPayload.authenticationInfo.principalEmail="`USER_EMAIL`"
Kubernetes events	resource.type="k8s_cluster" AND log_id("events")
Kubernetes Endpoints update	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.request.kind="Endpoints"
Kubernetes control plane logs	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.serviceName="k8s.io"
Kubernetes Engine control plane logs	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.serviceName="container.googleapis.com"
Pod deletion	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName=~"io\.k8s\.core\.v1\.pods\.(create\|delete)"
Kubernetes pod audit logs from control plane	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.resourceName="core/v1/namespaces/`POD_NAMESPACE`/pods/`POD_NAME`
Kubernetes pod evictions	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="io.k8s.core.v1.pods.eviction.create"
Kubernetes node audit logs from the control plane	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"io.k8s.core.v1.nodes"
Kubernetes cluster control plane for Addon Manager Activity	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.authenticationInfo.principalEmail="system:addon-manager"
Kubernetes control plane errors (excluding `Conflict`, which is normal)	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.status.message!="Conflict" AND protoPayload.status.code!=0
Ingress Controller events	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("events") AND jsonPayload.source.component="loadbalancer-controller"
Service Controller events (kube-controller-manager)	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("events") AND jsonPayload.source.component="service-controller"
Cluster Autoscaler events	resource.type="k8s_cluster" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("events") AND jsonPayload.source.component="cluster-autoscaler"

Pod-level queries

Filter name	Expression
Query pod during creation	resource.type="k8s_pod" AND resource.labels.pod_name="`POD_NAME`" AND log_id("events")
Query pod terminated due to resource pressure	resource.type="k8s_pod" AND log_id("events") AND jsonPayload.reason="Evicted"
Scheduler events	resource.type="k8s_pod" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("events") AND jsonPayload.source.component="default-scheduler"
Scheduler events (preemptions)	resource.type="k8s_pod" AND resource.labels.location="`CLUSTER_LOCATION`" AND resource.labels.cluster_name="`CLUSTER_NAME`" AND log_id("events") AND jsonPayload.source.component="default-scheduler" AND jsonPayload.reason="Preempted"

Node-level queries

Filter name	Expression
Node events	resource.type="k8s_node" AND log_id("events")
Looking at Kube-proxy logs	resource.type="k8s_node" AND log_id("kube-proxy")
Looking at dockerd logs	resource.type="k8s_node" AND log_id("container-runtime")
Looking at kubelet errors or failures	resource.type="k8s_node" AND log_id("kubelet") AND jsonPayload.MESSAGE:("error" OR "fail")
Looking at node logs for GKE system logs	resource.type = "k8s_node" logName:( "logs/container-runtime" OR "logs/docker" OR "logs/kube-container-runtime-monitor" OR "logs/kube-logrotate" OR "logs/kube-node-configuration" OR "logs/kube-node-installation" OR "logs/kubelet" OR "logs/kubelet-monitor" OR "logs/node-journal" OR "logs/node-problem-detector")

Namespace queries

Filter name	Expression
Container and pod logs for GKE system logs	resource.type = ("k8s_container" OR "k8s_pod") resource.labels.namespace_name = ( "cnrm-system" OR "config-management-system" OR "gatekeeper-system" OR "gke-connect" OR "gke-system" OR "istio-system" OR "knative-serving" OR "monitoring-system" OR "kube-system")

Filter name

Expression

Container and pod logs for GKE system logs

resource.type = ("k8s_container" OR "k8s_pod")
resource.labels.namespace_name = (
"cnrm-system" OR
"config-management-system" OR
"gatekeeper-system" OR
"gke-connect" OR
"gke-system" OR
"istio-system" OR
"knative-serving" OR
"monitoring-system" OR
"kube-system")

Container queries

Filter name	Expression
Stdout container logs across all pods and containers in a cluster	resource.type="k8s_container" AND log_id("stdout")
Container error logs across all pods and containers in a cluster	resource.type="k8s_container" AND log_id("stderr") AND severity=ERROR
Container error logs for a pod with a specific name	resource.type="k8s_container" AND resource.labels.pod_name="`POD_NAME`" AND severity=ERROR
Container error logs for a specific container in a specific pod	resource.type="k8s_container" AND resource.labels.pod_name="`POD_NAME`" AND resource.labels.container_name="server" AND severity=ERROR
Container error logs for a specific namespace and container	resource.type="k8s_container" AND resource.labels.namespace_name="istio-system" AND resource.labels.container_name="egressgateway" AND severity=ERROR
Container logs for a pod with a specific label	resource.type="k8s_container" AND labels."k8s-pod/app"="loadgenerator" AND severity=ERROR
Container error logs for pods running on a specific node	resource.type="k8s_container" AND labels."compute.googleapis.com/resource_name"=NODE_NAME AND severity=ERROR
Container logs for a pod with a label generated using skaffold	resource.type="k8s_container" AND labels."k8s-pod/app"="loadgenerator" AND labels."k8s-pod/skaffold_dev/run-id"=`SKAFFOLD_RUN_ID` severity=ERROR
Container error logs for a specific pod containing a `POST` in the textPayload	resource.type="k8s_container" AND resource.labels.pod_name="`POD_NAME`" AND textPayload:"POST" AND severity=ERROR
Container error logs for a specific pod containing a `GET` in the structured JSON	resource.type="k8s_container" AND resource.labels.pod_name="`POD_NAME`" AND jsonPayload."http.req.method"="GET" AND severity=ERROR
Container errors logs in the kube-system namespace	resource.type="k8s_container" AND resource.labels.namespace_name="kube-system" AND severity=ERROR
Container error in the container insights log	resource.type="k8s_container" AND log_id("clouderrorreporting.googleapis.com/insights")
Kubernetes container logs	resource.type="k8s_container" AND resource.labels.container_name="`CONTAINER_NAME`"

Control plane queries

Note: GKE control plane logs must be enabled.

Filter name	Expression
Kubernetes API server logs	resource.type="k8s_control_plane_component" resource.labels.component_name="apiserver" resource.labels.location="`CLUSTER_LOCATION`" resource.labels.cluster_name="`CLUSTER_NAME`"
Kubernetes Scheduler logs	resource.type="k8s_control_plane_component" resource.labels.component_name="scheduler" resource.labels.location="`CLUSTER_LOCATION`" resource.labels.cluster_name="`CLUSTER_NAME`"
Kubernetes Controller Manager logs	resource.type="k8s_control_plane_component" resource.labels.component_name="controller-manager" resource.labels.location="`CLUSTER_LOCATION`" resource.labels.cluster_name="`CLUSTER_NAME`"

Filter name

Expression

Kubernetes API server logs

resource.type="k8s_control_plane_component"
resource.labels.component_name="apiserver"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="CLUSTER_NAME"

Kubernetes Scheduler logs

resource.type="k8s_control_plane_component"
resource.labels.component_name="scheduler"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="CLUSTER_NAME"

Kubernetes Controller Manager logs

resource.type="k8s_control_plane_component"
resource.labels.component_name="controller-manager"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="CLUSTER_NAME"

TPU workload queries

Note: GKE system and workload logging must be enabled.

Filter name	Expression
Stdout container logs across all TPU nodes with the same prefix	resource.type="k8s_container" AND labels."compute.googleapis.com/resource_name"=~"`TPU_NODE_PREFIX`.*" AND log_id("stdout")
Container error logs across all TPU nodes with the same prefix	resource.type="k8s_container" AND labels."compute.googleapis.com/resource_name"=~"`TPU_NODE_PREFIX`.*" AND log_id("stderr") AND severity=ERROR
Stdout container logs from the same GKE Job	resource.type="k8s_container" AND labels."k8s-pod/batch.kubernetes.io/job-name" = "`JOB_NAME`" AND log_id("stdout")
Container error logs from the same GKE Job	resource.type="k8s_container" AND labels."k8s-pod/batch.kubernetes.io/job-name"="`JOB_NAME`" AND log_id("stderr") AND severity=ERROR
Stdout container logs from the same GKE JobSet	resource.type="k8s_container" AND labels."k8s-pod/jobset_sigs_k8s_io/jobset-name"="`JOBSET_NAME`" AND log_id("stdout")
Container error logs from the same GKE JobSet	resource.type="k8s_container" AND labels."k8s-pod/jobset_sigs_k8s_io/jobset-name"="`JOBSET_NAME`" AND log_id("stderr") AND severity=ERROR

Third-party application queries

The following queries use the default log IDs for logs collected by the legacy Logging agent. If you are collecting logs by using the Ops Agent, then the log names might be configured differently. For more information about the Ops Agent and application logs, see Collect logs from third-party applications.

Query/filter name	Expression
Apache logs	resource.type="gce_instance" AND (logName:"/apache-access" OR logName:"/apache-error")
Cassandra logs	resource.type="gce_instance" AND log_id("cassandra")
Chef logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/chef-"
Gitlab logs	resource.type="gce_instance" logName:"projects/`PROJECT_ID`/logs/gitlab-"
Jenkins logs	resource.type="gce_instance" AND log_id("jenkins")
Jetty logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/jetty-"
Joomla logs	resource.type="gce_instance" AND log_id("joomla")
Linux syslogs	resource.type="gce_instance" AND log_id("syslog")
Magneto logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/magneto-"
Mediawiki logs	resource.type="gce_instance" AND log_id("mediawiki")
memcached logs	resource.type="gce_instance" AND log_id("memcached")
MongoDB logs	resource.type="gce_instance" AND log_id("mongodb")
MySQL logs	resource.type="gce_instance" AND log_id("mysql")
Nginx logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/nginx-"
PostgreSQL logs	resource.type="gce_instance" AND log_id("postgresql")
Puppet logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/puppet-"
RabbitMQ logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/rabbitmq-"
Redmine logs	resource.type="gce_instance" AND log_id("redmine")
Salt logs	resource.type="gce_instance" AND logName:"projects/`PROJECT_ID`/logs/salt-"
Slow MySQL queries	resource.type="gce_instance" AND log_id("mysql-slow")
Solr logs	resource.type="gce_instance" AND log_id("solr")
SugarCRM logs	resource.type="gce_instance" AND log_id("sugarcrm")
Tomcat logs	resource.type="gce_instance" AND log_id("tomcat")
Zookeeper logs	resource.type="gce_instance" AND log_id("zookeeper")

Networking queries

Query/filter name	Expression
Firewall- all logs	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall")
Firewall logs for a given country	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall") AND jsonPayload.remote_location.country=`COUNTRY_ISO_ALPHA_3`
Firewall logs from a VM	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall") AND jsonPayload.instance.vm_name="`INSTANCE_NAME`"
Firewall subnet logs	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall") AND resource.labels.subnetwork_name="`SUBNET_NAME`"
Compute Engine subnetwork traffic logs to a subnet	resource.type="gce_subnetwork" AND ip_in_net(jsonPayload.connection.dest_ip, "`SUBNET_IP`")
VPC Flow logs	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows")
VPC Flow logs for specific port and protocol	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND jsonPayload.connection.src_port="`PORT_ID`" AND jsonPayload.connection.protocol="`PROTOCOL`"
VPC Flow logs for specific subnet	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND resource.labels.subnetwork_name"=`SUBNET_NAME`"
VPC Flow logs for specific subnet prefix	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND ip_in_net(jsonPayload.connection.dest_ip,`SUBNET_IP`)
VPC Flow logs for a specific VM	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND jsonPayload.src_instance.vm_name="`VM_NAME`"
VPN gateway logs	resource.type="vpn_gateway" AND resource.labels.gateway_id="`GATEWAY_ID`"
HTTP Load Balancer 5xx errors	resource.type="http_load_balancer" AND httpRequest.status>=500
HTTP Load Balancer requests to PHPMyAdmin	resource.type="http_load_balancer" AND httpRequest.request_url:"phpmyadmin"

Security queries

Query/filter name	Expression
Audit logs—all	logName:"cloudaudit.googleapis.com"
Audit logs- Access Transparency (AXT)	log_id("cloudaudit.googleapis.com/access_transparency")
Audit logs- Admin Activity	log_id("cloudaudit.googleapis.com/activity")
Audit logs- Data Access	log_id("cloudaudit.googleapis.com/data_access")
Audit logs- System Event	log_id("cloudaudit.googleapis.com/system_event")

Troubleshooting

For instructions about troubleshooting common issues when using the Logs Explorer, see Using the Logs Explorer: Troubleshooting.

What's next

For more information about the query syntax, which you can use to customize these queries, see Logging query language.

For more information about querying in the Google Cloud console, see Build queries by using the Logging query language.