Here is a comprehensive tutorial for New Relic Log Search covering all the items you’ve listed, with real-world examples specifically tailored for Linux and Apache logs. The queries assume your logs are being forwarded correctly to New Relic and are accessible via Logs UI or Log Search (NRQL/Lucene).
🔍 New Relic Log Search Tutorial with Examples
✅ 1. Single Term Search
A single term searches for a single word in the log messages.
Syntax:
<word>
Code language: HTML, XML (xml)
Example:
error
Matches logs that include the word
error
anywhere in the log message.
🔧 Use Case:
Search for generic error logs from Apache or Linux syslog:
error
✅ 2. Double Term (Phrase Search)
To search for an exact phrase, enclose it in double quotes.
Syntax:
"phrase with spaces"
Code language: JSON / JSON with Comments (json)
Example:
"connection timed out"
Code language: JSON / JSON with Comments (json)
Finds logs that contain the exact phrase
connection timed out
.
🔧 Use Case:
Apache logs with specific connection errors:
"client denied by server configuration"
Code language: JSON / JSON with Comments (json)
✅ 3. OPERATORS
🔹 AND (default behavior)
Narrows results by requiring both terms to appear.
Syntax:
term1 AND term2
OR just:
term1 term2
Example:
apache error
Matches logs containing both
apache
anderror
.
🔹 OR
Broadens results by matching either term.
Syntax:
term1 OR term2
Example:
warning OR critical
🔧 Use Case:
Search Linux logs for multiple log levels:
"kernel" AND (warning OR error)
Code language: JavaScript (javascript)
🔹 NOR (Negation)
Used for negation of one or more terms.
Syntax:
NOT term
New Relic does not support
NOR
, but you can achieve negation usingNOT
.
Example:
apache NOT error
🔧 Use Case:
Find Apache logs that do not contain error
.
✅ 4. Regular Expression (RegEx)
Use regex to match complex patterns.
Syntax:
message =~ /pattern/
Code language: JavaScript (javascript)
Example:
message =~ /failed.*login/
Code language: JavaScript (javascript)
Matches messages with phrases like
failed user login
,failed root login
, etc.
🔧 Use Case (Linux auth logs):
message =~ /invalid user.*from/
Code language: JavaScript (javascript)
Detect brute-force attempts on SSH.
✅ 5. FIELD FILTERS
Filter logs by specific field values.
🔹 Format:
<field>:<value>
Code language: HTML, XML (xml)
🔹 Examples:
Linux Example:
hostname:my-linux-server
Code language: CSS (css)
Apache Example:
service:apache AND level:error
Code language: CSS (css)
Combined:
service:apache AND message:"file not found"
Code language: CSS (css)
Timestamp Range:
timestamp >= '2025-05-20T00:00:00Z' AND timestamp < '2025-05-21T00:00:00Z'
Code language: JavaScript (javascript)
🧠 Bonus: Apache & Linux Log Examples
1. Apache Access Denied Errors
service:apache AND message:"client denied by server configuration"
Code language: CSS (css)
2. Linux SSH Login Failures
service:syslog AND message =~ /Failed password for invalid user/
Code language: JavaScript (javascript)
3. Filter by Host and Level
hostname:prod-server-01 AND level:error
Code language: CSS (css)
4. Apache 404 Errors
service:apache AND message:"404 Not Found"
Code language: CSS (css)
💡 Tips for Using New Relic Logs UI
- Use saved queries for repeated searches.
- Use faceted search to group logs by fields (like
hostname
,service
,level
). - Click on fields to create filters interactively.
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND