Querying data

In IBM Cloud Logs, you can query your log data by using Lucene queries, DataPrime queries, or by querying directly data from an IBM Cloud Object Storage (COS) bucket. You can also apply filters to your queries.

Query data from the UI

In the Explore Logs page, you can:

Filtering can be used in conjunction with searching using Lucene or DataPrime.

After you define a query, you can save it for later reuse by creating a view. For more information, see Creating custom views.

Considerations when querying Priority insights data

There are considerations when querying log data in the IBM Cloud Logs Priority insights pipeline:

Filtering can be used in conjunction with searching using Lucene or DataPrime.
Logs in the Priority insights pipeline are indexed. If your instance reaches its maximum amount of indexed fields, additional fields are unavailable to query. For more information on indexing and data mapping, see Understanding indexing and field mapping.
You can get a mapping exception when data that is ingested through the Priority insights data pipeline detects the same field sent by different log records with different types. Mapping exceptions make fields unavailable to query. For more information, see Mapping exceptions.
Logs ingested through the Analyze and alert and Store and search data pipelines can only be directly queried from the archive..
You can query logs that are ingested and processed through the Priority insights data pipeline by using a Lucene query or a DataPrime query.

For example, when you define a Lucene query, you can run queries such as free-text searches, regular RegEX expressions, or using field searches.

If you are not seeing expected data:
- Consider broadening your query or removing filters.
- Note that some of your logs might not yet be indexed and will not be found by the filter or query.

Considerations when querying data from a bucket

You can query data from the Explorer logs page or by running an archive query.

There are considerations when querying log data from the data bucket:

Data stored in the data bucket include data ingested through the Priority insights, Analyze and alert, and Store and search data pipelines. It also includes logs that are matched through a Parsing Block rule that has the View blocked logs in Live tail and archive to IBM Cloud Object Storage option enabled.
You maintain the data in the bucket. You can keep the data for as long as you need and query it via the Logs page, selecting the All logs option.
Filtering can be used in conjunction with searching using Lucene or DataPrime.
You can query data with unlimited time frames. There are no restrictions on how far back in time your data can go. You maintain the data and you ahve access to the data for as long as you keep it.
You can query logs regardless of log priority and daily quota. Only blocked logs are not sent to the archive.
Archive Query lets you to directly query your logs from your archive using any text or a wide range of syntax queries. You can query logs regardless of log priority, daily quota, or the time frame of your data. For more information, see Querying archived data.

Limitations querying data through the Explorer

Limits exist when querying data in IBM® Cloud Logs.

Query limits

Characters within a query

There are limits to the number of characters that can be included in a query.

A maximum of 3000 characters can be included in a query in the Logs view.
A maxumum of 65,535 characters can be included in an alert query definition. Alert query definitions are also limited to a maximum of 50 AND and OR statements.

Keyword types

Keywords represent text that does not pass through the analyzer before indexing. This data type is suitable for regular expressions, aggregation, and sorting.

The syntax to use the keyword data type in your query is: <fieldName>.keyword.

IBM Cloud Logs can not create a keyword type when a field is longer than 256 characters.

Results returned

The maximum number of rows that are returned from a query depends if you are querying from Priority insights or data that is stored in IBM Cloud Object Storage.

The maximum number of results that are returned from Priority insights is 12 K.
The maximum number of results that are returned from IBM Cloud Object Storage (from a query using All Logs) is 50 K.

Bytes scanned

A maximum of 100 MB is scanned for Priority insights data. No limit exists when data stored in IBM Cloud Object Storage is scanned.

Rate limiting

A maximum of 10 queries per minute can be submitted.

When the rate limit is exceeded, an HTTP 429 is returned.

Archive query limitations

The following are the limitations placed on queries.

Archive query limitations
Limitation	Description
Bytes processed	Up to 30% of daily ingested bytes
Parquet files	Scanned up to 500K files
Clone results	Up to 1M results while running Archive Query
Time out	Up to 5 minutes of query execution

You also need to be aware of the following when querying archived data:

You can use the same query syntax (Lucene or DataPrime) on the Archive Queries page.
You might see slight delays when querying archived data when compared with other Explore queries.
Once a limit is reached, a warning message is displayed. Refine your query results to avoid reaching a limit.

Refining archive query results

You can refine your query results using the following methods:

Apply more selective filters to your queries (for example, application or subsystem).
If using the DataPrime extract operator and subsequently filtering its results, create a parsing rule and filter on the parsed field instead.
Avoid regular expressions or wildcards in filters.
In DataPrime, switch from using the contains operator on strings to the free text search operator (~).

Query log data using CLI

There are two ways to query log data using the CLI:

query
background-query-create

The background-query-create command runs an asynchronous query while query runs a synchronous query.

The background query lets you run a query and fetch the results at a later point in time. The query results are prepared and, once ready, you can download the results as a file using the CLI or the API.

With the background query up to 1M records can be returned. The query command is limited to returning 50K records.

The Query CLI supports only logs-raw, logs-prettify, and json as output. The default is logs-raw.

Running a synchronous query

You can query the log data synchronously by runing the ibmcloud logs query command.

ibmcloud logs query --query QUERY --syntax QUERY_SYNTAX --metadata '{"start_date": START-DATE, "end_date": c, "syntax": SYNTAX , "limit": LIMIT, "strict-fields-validation": STRICT-FIELDS-VALIDATION, "tier": TIER}'

ibmcloud logs query --query QUERY --syntax QUERY_SYNTAX --start-date START-DATE --end-date END-DATE --syntax SYNTAX --limit 10

Command options

--query (string)

The query to be run. This is a required parameter.

The query syntax can be either Lucene or Dataprime. The syntax or type of the query is set using --syntax parameter.

--metadata (string)

Metadata for the query execution. Use this configuration to provide the query execution parameters.

--start-date (string)

Beginning of the time range for the query. This must be in UTC ISO 8601 format, for example: 2025-07-15T08:45:00Z. The default is 15 minutes before the --end-date value. If --end-date is not specified, the default value is 15 minutes before the current time.

--end-date (string)

End of the time range for the query. This must be in UTC ISO 8601 format, for example: 2025-07-15T08:45:00Z. The default is 15 minutes after the --start-date value. If --start-date is not defined the --end-date is the current-time and the --start-date is 15 minutes prior to current time.

--limit (int)

Limit the number of records returned. If not specified, the default is 2000. The maximum number of records returned when searching Priority insights is 12000. Otherwise the maximum number of records returned is: 50000.

--syntax (string)

The syntax in which the query is written. Allowable values are: lucene and dataprime.

--since (duration)

Duration to look back from the current time when querying data. Using this flag overrides the metadata-start-date and metadata-end-date. For example, 1h retrieves data from the past hour (default 1h0m0s).

--tier (string)

Tier on which the query runs. Allowable values are: archive, frequent_search (Priority insights).

--output (string)

The output format in which the results are returned. Valid values are logs-raw , logs-prettify and json.

Example

ibmcloud logs query --query "Push and Query test" --metadata '{"start_date": "2025-06-16T12:00:00Z", "end_date": "2025-06-17T13:41:30Z","syntax": "lucene"}' --output logs-raw

The query command also supports --start-date, --end-date and --syntax outside the metadata parameter. For example:

ibmcloud logs query --query "source logs | filter \$d.text == 'Push and Query test'" --syntax dataprime --start-date 2025-08-03T12:00:00Z  --end-date 2025-08-04T13:41:30Z

Running a background query

You can query the log data asynchronously.

First you submit a background query. Then, you can use the ID with other commands.

 ibmcloud logs background-query-create --query QUERY --syntax SYNTAX [--start-date START-DATE] [--end-date END-DATE] [--now-date NOW-DATE]

Command options

--query (string)

The query to be run. This is a required parameter.

The query syntax can be either Lucene or Dataprime. The syntax or type of the query is set using --syntax parameter.

--syntax (string)

The syntax in which the query is written. Allowable values are: lucene and dataprime.

--start-date (string)

--end-date (string)

Example

ibmcloud logs background-query-create --query "Push and Query test" --syntax lucene --start-date 2025-06-16T12:00:00Z --end-date 2025-06-17T13:41:30Z

Example using DataPrime syntax

ibmcloud logs background-query-create --query "source logs | filter \$d.text == 'Push and Query test'" --syntax dataprime --start-date 2025-08-03T12:00:00Z

Determining the status of a background query

You can determine the status of a background query by using the ID returned when running the background query command.

ibmcloud logs background-query-status --query-id QUERY-ID

Command options

--query-id (strfmt.UUID)

Query ID returned from a background query command. Required.

The value is 36 characters in length and must match the regular expression /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.

Example

ibmcloud logs background-query-status --query-id 8b5e7151-da2b-4633-be8c-9b269bed2c81

Retrieving the resuts of a background query

You can retrieve the query results of a background query by using the ID returned when running the background query command.

ibmcloud logs background-query-data --query-id QUERY-ID --output OUTPUT

Command options

--query-id (strfmt.UUID)

Query ID returned from a background query command. Required.

The value is 36 characters in length and must match the regular expression /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.

--output-file (string)

Specifies the path to the file where the output is written.

--output (string)

The output format in which the results are returned. Valid values are logs-raw, logs-prettify, json, yaml, tui, or table. The default is table.

Example

ibmcloud logs background-query-data --query-id df47fff7-131d-41dc-9328-05489a93e27c --output logs-raw

Cancelling a background query

You can cancel a background query by using the ID returned when running the background query command.

ibmcloud logs background-query-cancel --query-id QUERY-ID --force

Command options

--query-id (strfmt.UUID)

Query ID returned from a background query command. Required.

The value is 36 characters in length and must match the regular expression /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.

--force|-f

Runs the command without further prompting of the user.

Example

ibmcloud logs background-query-cancel --query-id df47fff7-131d-41dc-9328-05489a93e27c