Basic concepts for creating message queries.

You can enter message queries by using the Search bar, or by entering constraints.

The search bar is one way to refine the results returned given the existing events in a Log Insight instance. While you can use a constraint instead of the search bar, it is often easier to understand a query that leverages the search bar over an equivalent constraint. The best practice is to use the search bar instead of an equivalent constraint when possible.

A constraint allows you to create queries by using a regular expression, a field, logical OR operation, or a combination of search bar and constraint queries.

When you create queries by using the search bar and constraints, the following best practices apply:

Ensure queries are not environment specific. Public content packs need to be generic to any environment and as such need not not rely on environment specific information. Examples of environment specific information include source, hostname, and potentially facility if the facility uses local*.

When constructing a query, use keywords when possible, when keywords are not sufficient use globs, and when globs are not sufficient use regular expressions. Keyword queries are the least resource intensive type of query. Globs are a simplified version of regular expression and are the next least resource intensive type of query. Regular expressions are the most expensive type of query.

Provide as many keywords as possible when using regular expressions or fields. If a regular expression includes a logical OR, for example this|that, do not include keywords. Log Insight is optimized to perform keyword queries prior to regular expressions to minimize regular expression overhead.