Querying in logging24
Every query scans stored logs after applying four filters in order: customer selection, log stream prefixes, time range, and finally a full-line regex match. This page is the conceptual guide to that model.
In the chapter flow, read this after Forwarding . It explains how the data you send to logging24 is later narrowed, matched, and analyzed in the web UI, the CLI, and the API.
Start with a practical query
l24 query --customer "$L24_CUSTOMER" ".*ERROR.*" env://L24_READ_TOKEN
l24 query --customer "$L24_CUSTOMER" --prefix0 "web-" -f "now - 1h" ".*timeout.*" env://L24_READ_TOKEN
These examples show the main ingredients of a search: customer, optional prefixes, optional time bounds, and a regex pattern that normally starts and ends with
.*
.
Log stream selection via prefixes
Each log stream has four text labels:
prefix0
through
prefix3
. Typical setups use
prefix0
for host or environment and
prefix1
for service or logfile. A query only scans streams whose labels start with the prefixes you specify.
If you leave a prefix empty, that dimension is not restricted.
Time range filtering
Time range filtering reduces the amount of data that needs to be scanned before regex matching begins. Shorter ranges are therefore usually faster than broad ones.
Common CLI patterns:
-f "now - 15m" -t "now"
-f "2026-03-09 10:00" -t "2026-03-09 11:00"Full-line regex model
logging24 matches the regex against the entire log event. In practice, that means most substring searches should wrap the term with
.*
:
.*ERROR.*
|
Lines containing
ERROR
anywhere.
|
.*(timeout|refused|unreachable).*
|
Union of multiple network failure patterns. |
(.*prod.*)&(.*ERROR.*)
|
Lines containing both
prod
and
ERROR
.
|
(.*ERROR.*)~(.*health.*)
|
Error lines excluding health-check noise. |
Supported regex features
.
|
Any single character |
[abc]
|
Character classes |
[^abc]
|
Negated character classes |
a?
,
a*
,
a+
|
Quantifiers |
a{N}
,
a{N,}
,
a{N,M}
|
Counted repetition |
(...)
|
Grouping |
|
,
&
,
~
|
Union, intersection, negation |
(?int)
|
Capture integer values for numeric analysis |
(?num(3))
|
Capture floating point values with fixed precision |
(?txt(...))
|
Capture up to 31 bytes for textual grouping |
(?
,
(?
,
(?
|
Name captures for x/y coordinates and grouping keys |
For a gradual introduction to the regex syntax, use the Regex Primer . Treat that section as a learning aid; this page remains the canonical guide to how querying works in logging24.
Numerical analysis
If the pattern captures numeric data with
(?int)
or
(?num(N))
, the result can be used for numerical analysis rather than simple log listing. Because matching is single-pass, numeric captures do not backtrack. Put a specific textual lead-in before numeric captures when possible.
.*duration_ms=(?(?int)).*
.*the number for X is (?(?int)).* Textual analysis
Use
(?
to split results by a textual key. This is useful for grouping by endpoint, hostname fragment, status, or error code.
.*status=(?(?txt([A-Z_]+))).*
.*path=(?(?txt(/\S+))).* Related links
- Web UI for interactive search and analysis.
- l24 query for exact CLI syntax.
- API Reference for direct HTTP query access.
- Regex Primer for regex teaching material.