Log Query Reference for Connector Hub

Understand what's supported when querying a source log in a connector (Oracle Cloud Infrastructure Connector Hub service).

Connector Hub supports a subset of the Logging Query Language Specification. Use this supported subset when filtering a Logging source for a connector.

Note

In the Console, filter source logs under Log filter task on the Create connector or Edit connector page. For more information, see Creating a Connector with a Logging Source.

Stream expressions are limited to following streaming operators:

  • search: Constructs a log stream from actual log objects.
  • where: Filters the current log stream using a Boolean expression. You can use AND and OR operators.
    Note

    To use an OR operator in the Console, click Switch to advanced mode.

Examples

Many log streams
search "<compartment_OCID>/loggroup1/logname1" "<compartment_OCID>/loggroup2/logname2" "<compartment_OCID>/loggroup3/logname3"
Where clause
search "<compartment_OCID>/Audit"
  | where type = 'com.oraclecloud.objectstorage.deleteobject'

Output:

{"specversion": "1.0", "type": "com.oraclecloud.objectstorage.deleteobject", "source": "<compartment_OCID>/myBucket",.....}
Hidden where clause
search "<compartment_OCID>"
| level='ERROR'
Where clause with OR operator
Note

To use an OR operator in the Console, click Switch to advanced mode.
search "<compartment_OCID>/Audit"
| where type='com.oraclecloud.objectstorage.deleteobject' or 'com.oraclecloud.objectstorage.getobject'
| where source='myBucket'

Output:

{"specversion": "1.0", "type": "com.oraclecloud.objectstorage.deleteobject", "source": "<compartment_OCID>/myBucket",.....}
{"specversion": "1.0", "type": "com.oraclecloud.objectstorage.getobject", "source": "<compartment_OCID>/myBucket",.....}
Where clause with both OR and AND operators
Note

To use an OR operator in the Console, click Switch to advanced mode.
search "<compartment_OCID>"
| where type='com.oraclecloud.functions.application.functioninvoke' or 'com.oraclecloud.objectstorage.listbuckets'
| where source='my-application'
| sort by datetime desc
Where clause with wildcard operator

logContent returns any log line with a matching string. The asterisk (*) acts as a wildcard.

search "<compartment_OCID>"
| where logContent='*ERR*'