Sample queries (original) (raw)

This document provides you with suggested queries to make it easier to find important logs using the Logs Explorer in the Google Cloud console. The listed queries are written in theLogging query language, and they can be used in theLogs Explorer, theLogging API, or thecommand-line interface.

The Logs Explorer uses Boolean expressions to specify a subset of all the log entries in your project. You can use these queries to choose log entries from specific logs or log services, or that satisfy conditions on metadata or user-defined fields.

Before you begin

Ensure that you have the correct Identity and Access Management permissions or roles for building queries using the Logs Explorer. For details on the necessary IAM permissions, seePermissions for the Google Cloud console.

Get started

In the Google Cloud console, go to theLogs Explorer page:
Go to Logs Explorer
If you use the search bar to find this page, then select the result whose subheading isLogging.
Select the appropriate Google Cloud project or other Google Cloud resource for which you want to view logs.

Use the sample queries

To apply a query from the following tables, click theContent Copy icon for the expression, and then paste the copied expression into the Logs Explorer query-editor field.

The following screenshot illustrates the query pane:

The query editor is showing where to enter a query

If you don't see the query-editor field, enable Show query.

After you review your query expression, click Run query. Logs that match your query are listed under Query results.

Some of the queries listed later on this page include variables that you should replace with valid values. For example, when a query includes logName, then the PROJECT_ID you supply must refer to the selected Google Cloud project; otherwise, the query won't work.

Note the following:

If you have a query with a timestamp, then thetime-range selectoris disabled, and the query uses the timestamp expression as its time-range restriction. If a query doesn't use a timestamp expression, then the query uses the time-range selector as its time-range restriction.
The length of a query can't exceed 20,000 characters.
The Logging query languageis case-insensitive, with the exception of regular expressions.
You can use the log_id function for queries with a log_nameexpression. For example, the expressionlog_name="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"is the same as log_id("cloudaudit.googleapis.com/data_access"). For more information about the log_id function, seeLogging query language: Functions.

For instructions about querying in the Google Cloud console, seeBuild queries in the Logs Explorer.

The following sections group queries by Google Cloud services.

App Engine queries

Query/filter name	Expression
App Engine logs from New Year's Eve (in UTC time)	resource.type="gae_app" AND severity>=ERROR AND timestamp>="2018-12-31T00:00:00Z" AND timestamp<="2019-01-01T00:00:00Z"
App Engine request logs with server errors	resource.type="gae_app" AND log_id("appengine.googleapis.com/request_log") AND httpRequest.status>=500
Sampled HTTP error logs	resource.type="gae_app" AND protoPayload.status >= 400 AND sample(insertId, 0.1)
Search for App Engine trace ID	resource.type="gae_app" AND trace="projects/PROJECT_ID/traces/TRACE_ID"
App Engine logs	resource.type="gae_app" AND resource.labels.module_id="MODULE_ID" AND resource.labels.version_id="VERSION_ID"
Recent App Engine deployments	resource.type="gae_app" AND protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.serviceName="appengine.googleapis.com"

API enable and disable queries

Query/filter name	Expression
Audit API enable logs	protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.EnableService"
Audit API disable logs	protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.DisableService"

BigQuery queries

Query/filter name	Expression
BigQuery audit logs	resource.type=("bigquery_dataset" OR "bigquery_project") AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a project	resource.type="bigquery_project" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a dataset	resource.type="bigquery_dataset" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for BI Engine Model	resource.type="bigquery_biengine_model" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a Data Transfer Service Run.	resource.type="bigquery_dts_run" AND logName:"cloudaudit.googleapis.com"
BigQuery audit logs for a Data Transfer Service configuration.	resource.type="bigquery_dts_config" AND logName:"cloudaudit.googleapis.com"
BigQuery data transfer service jobs	resource.type=("bigquery_project") AND protoPayload.requestMetadata.callerSuppliedUserAgent= "BigQuery Data Transfer Service" AND protoPayload.methodName=("google.cloud.bigquery.v2.JobService.InsertJob" OR "google.cloud.bigquery.v2.JobService.Query")
BigQuery transfer run logs	resource.type="bigquery_dts_config" AND labels.run_id="RUN_ID" AND resource.labels.config_id="CONFIG_ID"
BigQuery dataset updates	resource.type="bigquery_dataset" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName= "google.cloud.bigquery.v2.DatasetService.UpdateDataset"
BigQuery jobs completed	resource.type="bigquery_project" AND log_id("cloudaudit.googleapis.com/data_access") AND protoPayload.methodName=("google.cloud.bigquery.v2.JobService.InsertJob" OR "google.cloud.bigquery.v2.JobService.Query")
BigQuery large queries	resource.type="bigquery_project" AND protoPayload.metadata.jobChange.job.jobStats.queryStats.totalBilledBytes > 1073741824
BigQuery quota exceeded	resource.type=("bigquery_dataset" OR "bigquery_project") AND protoPayload.status.code=8 AND severity>=WARNING
BigQuery query started	resource.type="bigquery_project" AND protoPayload.metadata.jobInsertion.reason:*
BigQuery concurrent load/extract jobs	resource.type="bigquery_resource" AND protoPayload.methodName="jobservice.insert" AND protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query: "extract"
BigQuery audit logs for Row Access Policy	protoPayload.methodName="jobservice.insert" AND protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query:"ROW ACCESS POLICY"

Dataflow queries

Query/filter name	Expression
Errors and warnings in Dataflow workers	resource.type="dataflow_step" AND log_id("dataflow.googleapis.com/worker") AND severity>=WARNING

Managed Service for Apache Spark queries

Query/filter name	Expression
Dataproc Apache Hadoop logs	resource.type="cloud_dataproc_cluster" AND jsonPayload.class:"org.apache.hadoop.mapreduce"

Cloud Deployment Manager

Query/filter name	Expression
Deployment Manager errors	resource.type="deployment" AND severity>=ERROR

Cloud Run functions queries

Query/filter name	Expression
Cloud function errors	resource.type="cloud_function" AND log_id("cloudfunctions.googleapis.com/cloud-functions") AND severity>=ERROR

Cloud Monitoring queries

Query/filter name	Expression
Show all notification channelerrors	resource.type="stackdriver_notification_channel" AND severity>=ERROR
Show notification channelerrors due to throttling	resource.type="stackdriver_notification_channel" AND severity>=ERROR AND jsonPayload.summary="Notification delivery throttled."
Show logs written bythe uptime resource	resource.type="uptime_url"
Show requests received fromthe uptime-check service	"GoogleStackdriverMonitoring-UptimeChecks"

Cloud Run queries

Query/filter name	Expression
Cloud Run logs for a specific job	resource.type="cloud_run_job" AND resource.labels.service_name="JOB_NAME"
Cloud Run logs for a specific revision and service	resource.type="cloud_run_revision" AND resource.labels.service_name="SERVICE_NAME"

Cloud Source Repositories queries

Query/filter name	Expression
Cloud Source Repository logs	resource.type="csr_repository" AND resource.labels.name="REPOSITORY_NAME"

Spanner queries

Query/filter name	Expression
Cloud Spanner logs for a specific spanner instance	resource.type="spanner_instance" AND resource.labels.instance_id="SPANNER_INSTANCE"

Cloud SQL queries

Query/filter name	Expression
Cloud SQL audit logs	resource.type="cloudsql_database" AND resource.labels.database_id="DATABASE_ID" AND log_id("cloudaudit.googleapis.com/activity")
Cloud SQL MySQL error logs	resource.type="cloudsql_database" AND log_id("cloudsql.googleapis.com/mysql.err")
Cloud SQL MySQL-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="DATABASE_ID" AND log_id("cloudsql.googleapis.com/mysql")
Cloud SQL Postgres-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="DATABASE_ID" AND log_id("cloudsql.googleapis.com/postgres.log")
Cloud SQL SQL Server error logs	resource.type="cloudsql_database" AND log_id("cloudsql.googleapis.com/sqlserver.err")
Cloud SQL SQL Server-based databases	resource.type="cloudsql_database" AND resource.labels.database_id="DATABASE_ID" AND log_id("cloudsql.googleapis.com/sqlagent.out")

Cloud Storage queries

Query/filter name	Expression
GCS bucket logs	resource.type="gcs_bucket" AND resource.labels.bucket_name="BUCKET_NAME"
GCS bucket audit logs	resource.type="gcs_bucket" AND logName:"cloudaudit.googleapis.com"
GCS bucket creation logs	resource.type="gcs_bucket" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.method_name="storage.buckets.create"
GCS bucket deletion logs	resource.type="gcs_bucket" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.method_name="storage.buckets.delete"

Cloud Tasks queries

Query/filter name	Expression
Cloud Tasks queue logs	resource.type="cloud_tasks_queue" AND resource.labels.queue_id="QUEUE_ID"

Compute Engine queries

Query/filter name	Expression
Compute Engine Admin Activity logs	resource.type="gce_instance" AND log_id("cloudaudit.googleapis.com/activity")
Compute Engine firewall rule deletion	resource.type="gce_firewall_rule" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"firewalls.delete"
Compute Engine VM syslogs	resource.type="gce_instance" AND log_id("syslog")
Compute Engine VM authlogs	resource.type="gce_instance" AND log_id("authlog")
Compute Engine Host Error	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName:"compute.instances.hostError" OR operation.producer:"compute.instances.hostError") log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="INSTANCE_ID" severity=INFO
Compute Engine Host Memory Alert	resource.type="gce_instance" AND protoPayload.serviceName="compute.googleapis.com" AND (jsonPayload.methodName:"compute.instances.host_event_notify" OR operation.producer:"compute.instances.host_event_notify") AND log_id("cloudaudit.googleapis.com/host_event_notify") AND resource.labels.instance_id="INSTANCE_ID" AND severity=CRITICAL
Compute Engine Host Migrated	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName: "compute.instances.migrateOnHostMaintenance" OR operation.producer: "compute.instances.migrateOnHostMaintenance") log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="INSTANCE_ID" severity=INFO
Compute Engine VM Terminated/Preempted	resource.type="gce_instance" protoPayload.methodName=~"compute\.instances\.(guestTerminate\|preempted)" log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="INSTANCE_ID"
Compute Engine VM terminated due to Scratch Disk Creation Failure	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName="compute.instances.scratchDiskCreationFailed" OR operation.producer: "compute.instances.scratchDiskCreationFailed) log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="INSTANCE_ID" severity=INFO
Compute Engine VM Instance Created	resource.type="gce_instance" protoPayload.methodName:"compute.instances.insert" log_id("cloudaudit.googleapis.com/activity") protoPayload.request.name="INSTANCE_NAME"
Compute Engine VM Instance Deleted with Name	resource.type="gce_instance" protoPayload.methodName:"compute.instances.delete" log_id("cloudaudit.googleapis.com/activity") protoPayload.resourceName:"INSTANCE_NAME"
Compute Engine VM Instance Deleted with ID	resource.type="gce_instance" protoPayload.methodName:"compute.instances.delete" log_id("cloudaudit.googleapis.com/activity") resource.labels.instance_id="INSTANCE_ID"
Compute Engine VM Instance Restarted	resource.type="gce_instance" protoPayload.methodName=~"compute\.instances\.( stop\|reset
Compute Engine Shielded VM Boot Integrity Failure	resource.type="gce_instance" log_id("compute.googleapis.com/shielded_vm_integrity") jsonPayload.earlyBootReportEvent.policyEvaluationPassed="false" resource.labels.instance_id="INSTANCE_ID"
Compute Engine VM instance stopped by Guest OS	resource.type="gce_instance" protoPayload.serviceName="compute.googleapis.com" (protoPayload.methodName:"compute.instances.guestTerminate" OR operation.producer:"compute.instances.guestTerminate") log_id("cloudaudit.googleapis.com/system_event") resource.labels.instance_id="INSTANCE_ID" severity=INFO
Compute Engine Shielded VM boot file was blocked	resource.type="gce_instance" log_id("serialconsole.googleapis.com/serial_port_1_output") textPayload:("Security Violation") resource.labels.instance_id="INSTANCE_ID"
Persistent Disk Created	resource.type="gce_disk" AND protoPayload.methodName:"compute.disks.insert" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.resourceName: "PERSISTENT_DISK_NAME"
Nodes added in Sole Tenant Node	resource.type="gce_node_group" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName=~("compute.nodeGroups.addNodes" OR "compute.nodeGroups.insert") resource.labels.node_group_id="NODE_GROUP_ID" severity="INFO"
Autoscale events in Sole Tenant Node	resource.type="gce_node_group" log_id("cloudaudit.googleapis.com/system_event") protoPayload.methodName=~("compute.nodeGroups.deleteNodes" OR "compute.nodeGroups.addNodes") resource.labels.node_group_id="NODE_GROUP_ID"
Manual Snapshot Taken	resource.type="gce_snapshot" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"compute.snapshots.insert" protoPayload.resourceName:"SNAPSHOT_NAME"
Scheduled Snapshot Taken	resource.type="gce_disk" log_id("cloudaudit.googleapis.com/system_event") protoPayload.methodName="ScheduledSnapshots" protoPayload.response.operationType="createSnapshot" protoPayload.response.targetLink="PERSISTENT_DISK_NAME"
Snapshot Schedule Created	resource.type="gce_resource_policy" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"compute.resourcePolicies.insert" protoPayload.request.name="SCHEDULE_NAME"
Snapshot Schedule Attached	resource.type="gce_disk" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"compute.disks.addResourcePolicies" protoPayload.request.resourcePolicys:"SCHEDULE_NAME" protoPayload.resourceName:"PERSISTENT_DISK_NAME"
Quota Exceeded	resource.type="gce_instance" protoPayload.methodName:"compute.instances.insert" protoPayload.status.message:"QUOTA_EXCEEDED" severity=ERROR
Query unhealthy instances in instance group	resource.type="gce_instance_group" resource.labels.instance_group_name="INSTANCE_GROUP_NAME" jsonPayload.healthCheckProbeResult.healthState="UNHEALTHY"
Query instance group members within a time frame in UTC time format	resource.type="gce_instance_group_manager" resource.labels.instance_group_manager_name="INSTANCE_GROUP_NAME" jsonPayload.@type= "type.googleapis.com/compute.InstanceGroupManagerEvent" jsonPayload.instanceHealthStateChange.detailedHealthState="HEALTHY" timestamp >= START_TIME timestamp <= END_TIME
Instances added to Instance Group	resource.type="gce_instance_group" protoPayload.methodName:"compute.instanceGroups.addInstances" log_id("cloudaudit.googleapis.com/activity") resource.labels.instance_group_name="INSTANCE_GROUP_NAME"
Instances removed from Instance Group	resource.type="gce_instance_group" protoPayload.methodName:"compute.instanceGroups.removeInstances" log_id("cloudaudit.googleapis.com/activity") resource.labels.instance_group_name="INSTANCE_GROUP_NAME"
Instance template set or updated	resource.type="gce_instance_group_manager" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName= "v1.compute.instanceGroupManagers.setInstanceTemplate" resource.labels.instance_group_manager_name="INSTANCE_GROUP_MANAGER"
Firewall rule deleted	resource.type="gce_firewall_rule" log_id("cloudaudit.googleapis.com/activity") protoPayload.methodName:"firewalls.delete"
Firewall logs	resource.type="gce_subnetwork" log_id("compute.googleapis.com/firewall") jsonPayload.instance.vm_name="INSTANCE_NAME"

Google Cloud Observability queries

Query/filter name	Expression
Log sink activities	resource.type="logging_sink" AND log_id("cloudaudit.googleapis.com/activity")
Log-based metric create or update activities	resource.type="metric" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:(UpdateLogMetric OR CreateLogMetric)
Uptime URL checks for a host	resource.type="uptime_url" AND resource.labels.host="URL"

Identity and Access Management queries

Query/filter name	Expression
Service account creation logs	resource.type="service_account" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="google.iam.admin.v1.CreateServiceAccount"
Service account creation key logs	resource.type="service_account" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"
Set access control policy logs	resource.type="project" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="SetIamPolicy"
External principal granted access to organization	resource.type="project" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.request.@type:"IamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.member:* AND NOT protoPayload.serviceData.policyDelta.bindingDeltas.member:"@DOMAIN_NAME.com"
Resource creation, modification, or deletion	log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:("create" OR "delete" OR "update")
Role granted to principal	log_id("cloudaudit.googleapis.com/activity") AND resource.type="project" AND protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.action="Add" AND protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ID"
Role removed from principal	log_id("cloudaudit.googleapis.com/activity") AND resource.type="project" AND protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.bindingDeltas.action="Remove" AND protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ID"
Permission updated in a custom role	log_id("cloudaudit.googleapis.com/activity") AND resource.type="iam_role" AND protoPayload.serviceName="iam.googleapis.com" AND protoPayload.methodName:"UpdateRole" AND resource.labels.role_name:"ROLE_ID"

For an overview and examples of Admin Activity audit log queries, see those provided on theGKE Audit logging page.

Cluster-level queries

Query/filter name	Expression
Google Kubernetes Engine cluster operations	resource.type="gke_cluster" AND log_id("cloudaudit.googleapis.com/activity")
Google Kubernetes Engine cluster creation	resource.type="gke_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="google.container.v1.ClusterManager.CreateCluster"
Kubernetes cluster deployment	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"deployments"
Kubernetes cluster authentication failure	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.authenticationInfo.principalEmail="system:anonymous"
Kubernetes cluster operations and events in us-central1-b	resource.type="k8s_cluster" AND resource.labels.location="us-central1-b"
Kubernetes pod requests from users	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"io.k8s.core.v1.pods" AND protoPayload.authenticationInfo.principalEmail="USER_EMAIL"
Kubernetes events	resource.type="k8s_cluster" AND log_id("events")
Kubernetes Endpoints update	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.request.kind="Endpoints"
Kubernetes control plane logs	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.serviceName="k8s.io"
Kubernetes Engine control plane logs	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.serviceName="container.googleapis.com"
Pod deletion	resource.type="k8s_cluster" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName=~"io\.k8s\.core\.v1\.pods\.(create\|delete)"
Kubernetes pod audit logs from control plane	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.resourceName="core/v1/namespaces/POD_NAMESPACE/pods/POD_NAME
Kubernetes pod evictions	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName="io.k8s.core.v1.pods.eviction.create"
Kubernetes node audit logs from the control plane	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.methodName:"io.k8s.core.v1.nodes"
Kubernetes cluster control plane for Addon Manager Activity	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.authenticationInfo.principalEmail="system:addon-manager"
Kubernetes control plane errors (excluding Conflict, which is normal)	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("cloudaudit.googleapis.com/activity") AND protoPayload.status.message!="Conflict" AND protoPayload.status.code!=0
Ingress Controller events	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("events") AND jsonPayload.source.component="loadbalancer-controller"
Service Controller events (kube-controller-manager)	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("events") AND jsonPayload.source.component="service-controller"
Cluster Autoscaler events	resource.type="k8s_cluster" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("events") AND jsonPayload.source.component="cluster-autoscaler"

Pod-level queries

Filter name	Expression
Query pod during creation	resource.type="k8s_pod" AND resource.labels.pod_name="POD_NAME" AND log_id("events")
Query pod terminated due to resource pressure	resource.type="k8s_pod" AND log_id("events") AND jsonPayload.reason="Evicted"
Scheduler events	resource.type="k8s_pod" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("events") AND jsonPayload.source.component="default-scheduler"
Scheduler events (preemptions)	resource.type="k8s_pod" AND resource.labels.location="CLUSTER_LOCATION" AND resource.labels.cluster_name="CLUSTER_NAME" AND log_id("events") AND jsonPayload.source.component="default-scheduler" AND jsonPayload.reason="Preempted"

Node-level queries

Filter name	Expression
Node events	resource.type="k8s_node" AND log_id("events")
Looking at Kube-proxy logs	resource.type="k8s_node" AND log_id("kube-proxy")
Looking at dockerd logs	resource.type="k8s_node" AND log_id("container-runtime")
Looking at kubelet errors or failures	resource.type="k8s_node" AND log_id("kubelet") AND jsonPayload.MESSAGE:("error" OR "fail")
Looking at node logs for GKE system logs	resource.type = "k8s_node" logName:( "logs/container-runtime" OR "logs/docker" OR "logs/kube-container-runtime-monitor" OR "logs/kube-logrotate" OR "logs/kube-node-configuration" OR "logs/kube-node-installation" OR "logs/kubelet" OR "logs/kubelet-monitor" OR "logs/node-journal" OR "logs/node-problem-detector")

Namespace queries

Filter name	Expression
Container and pod logs for GKE system logs	resource.type = ("k8s_container" OR "k8s_pod") resource.labels.namespace_name = ( "cnrm-system" OR "config-management-system" OR "gatekeeper-system" OR "gke-connect" OR "gke-system" OR "istio-system" OR "knative-serving" OR "monitoring-system" OR "kube-system")

Container queries

Filter name	Expression
Stdout container logs across all pods and containers in a cluster	resource.type="k8s_container" AND log_id("stdout")
Container error logs across all pods and containers in a cluster	resource.type="k8s_container" AND log_id("stderr") AND severity=ERROR
Container error logs for a pod with a specific name	resource.type="k8s_container" AND resource.labels.pod_name="POD_NAME" AND severity=ERROR
Container error logs for a specific container in a specific pod	resource.type="k8s_container" AND resource.labels.pod_name="POD_NAME" AND resource.labels.container_name="server" AND severity=ERROR
Container error logs for a specific namespace and container	resource.type="k8s_container" AND resource.labels.namespace_name="istio-system" AND resource.labels.container_name="egressgateway" AND severity=ERROR
Container logs for a pod with a specific label	resource.type="k8s_container" AND labels."k8s-pod/app"="loadgenerator" AND severity=ERROR
Container error logs for pods running on a specific node	resource.type="k8s_container" AND labels."compute.googleapis.com/resource_name"=NODE_NAME AND severity=ERROR
Container logs for a pod with a label generated using skaffold	resource.type="k8s_container" AND labels."k8s-pod/app"="loadgenerator" AND labels."k8s-pod/skaffold_dev/run-id"=SKAFFOLD_RUN_ID severity=ERROR
Container error logs for a specific pod containing a POST in the textPayload	resource.type="k8s_container" AND resource.labels.pod_name="POD_NAME" AND textPayload:"POST" AND severity=ERROR
Container error logs for a specific pod containing a GET in the structured JSON	resource.type="k8s_container" AND resource.labels.pod_name="POD_NAME" AND jsonPayload."http.req.method"="GET" AND severity=ERROR
Container errors logs in the kube-system namespace	resource.type="k8s_container" AND resource.labels.namespace_name="kube-system" AND severity=ERROR
Container error in the container insights log	resource.type="k8s_container" AND log_id("clouderrorreporting.googleapis.com/insights")
Kubernetes container logs	resource.type="k8s_container" AND resource.labels.container_name="CONTAINER_NAME"

Control plane queries

Note: GKE control plane logs must be enabled.

Filter name	Expression
Kubernetes API server logs	resource.type="k8s_control_plane_component" resource.labels.component_name="apiserver" resource.labels.location="CLUSTER_LOCATION" resource.labels.cluster_name="CLUSTER_NAME"
Kubernetes Scheduler logs	resource.type="k8s_control_plane_component" resource.labels.component_name="scheduler" resource.labels.location="CLUSTER_LOCATION" resource.labels.cluster_name="CLUSTER_NAME"
Kubernetes Controller Manager logs	resource.type="k8s_control_plane_component" resource.labels.component_name="controller-manager" resource.labels.location="CLUSTER_LOCATION" resource.labels.cluster_name="CLUSTER_NAME"

TPU workload queries

Note: GKE system and workload logging must be enabled.

Filter name	Expression
Stdout container logs across all TPU nodes with the same prefix	resource.type="k8s_container" AND labels."compute.googleapis.com/resource_name"=~"TPU_NODE_PREFIX.*" AND log_id("stdout")
Container error logs across all TPU nodes with the same prefix	resource.type="k8s_container" AND labels."compute.googleapis.com/resource_name"=~"TPU_NODE_PREFIX.*" AND log_id("stderr") AND severity=ERROR
Stdout container logs from the same GKE Job	resource.type="k8s_container" AND labels."k8s-pod/batch.kubernetes.io/job-name" = "JOB_NAME" AND log_id("stdout")
Container error logs from the same GKE Job	resource.type="k8s_container" AND labels."k8s-pod/batch.kubernetes.io/job-name"="JOB_NAME" AND log_id("stderr") AND severity=ERROR
Stdout container logs from the same GKE JobSet	resource.type="k8s_container" AND labels."k8s-pod/jobset_sigs_k8s_io/jobset-name"="JOBSET_NAME" AND log_id("stdout")
Container error logs from the same GKE JobSet	resource.type="k8s_container" AND labels."k8s-pod/jobset_sigs_k8s_io/jobset-name"="JOBSET_NAME" AND log_id("stderr") AND severity=ERROR

Third-party application queries

The following queries use thedefault log IDsfor logs collected by thelegacy Logging agent. If you are collecting logs by using the Ops Agent, then the log names might be configured differently. For more information about the Ops Agent and application logs, seeCollect logs from third-party applications.

Query/filter name	Expression
Apache logs	resource.type="gce_instance" AND (logName:"/apache-access" OR logName:"/apache-error")
Cassandra logs	resource.type="gce_instance" AND log_id("cassandra")
Chef logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/chef-"
Gitlab logs	resource.type="gce_instance" logName:"projects/PROJECT_ID/logs/gitlab-"
Jenkins logs	resource.type="gce_instance" AND log_id("jenkins")
Jetty logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/jetty-"
Joomla logs	resource.type="gce_instance" AND log_id("joomla")
Linux syslogs	resource.type="gce_instance" AND log_id("syslog")
Magneto logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/magneto-"
Mediawiki logs	resource.type="gce_instance" AND log_id("mediawiki")
memcached logs	resource.type="gce_instance" AND log_id("memcached")
MongoDB logs	resource.type="gce_instance" AND log_id("mongodb")
MySQL logs	resource.type="gce_instance" AND log_id("mysql")
Nginx logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/nginx-"
PostgreSQL logs	resource.type="gce_instance" AND log_id("postgresql")
Puppet logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/puppet-"
RabbitMQ logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/rabbitmq-"
Redmine logs	resource.type="gce_instance" AND log_id("redmine")
Salt logs	resource.type="gce_instance" AND logName:"projects/PROJECT_ID/logs/salt-"
Slow MySQL queries	resource.type="gce_instance" AND log_id("mysql-slow")
Solr logs	resource.type="gce_instance" AND log_id("solr")
SugarCRM logs	resource.type="gce_instance" AND log_id("sugarcrm")
Tomcat logs	resource.type="gce_instance" AND log_id("tomcat")
Zookeeper logs	resource.type="gce_instance" AND log_id("zookeeper")

Networking queries

Query/filter name	Expression
Firewall- all logs	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall")
Firewall logs for a given country	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall") AND jsonPayload.remote_location.country=COUNTRY_ISO_ALPHA_3
Firewall logs from a VM	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall") AND jsonPayload.instance.vm_name="INSTANCE_NAME"
Firewall subnet logs	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/firewall") AND resource.labels.subnetwork_name="SUBNET_NAME"
Compute Engine subnetwork traffic logs to a subnet	resource.type="gce_subnetwork" AND ip_in_net(jsonPayload.connection.dest_ip, "SUBNET_IP")
VPC Flow logs	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows")
VPC Flow logs for specific port and protocol	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND jsonPayload.connection.src_port="PORT_ID" AND jsonPayload.connection.protocol="PROTOCOL"
VPC Flow logs for specific subnet	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND resource.labels.subnetwork_name"=SUBNET_NAME"
VPC Flow logs for specific subnet prefix	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND ip_in_net(jsonPayload.connection.dest_ip,SUBNET_IP)
VPC Flow logs for a specific VM	resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows") AND jsonPayload.src_instance.vm_name="VM_NAME"
VPN gateway logs	resource.type="vpn_gateway" AND resource.labels.gateway_id="GATEWAY_ID"
HTTP Load Balancer 5xx errors	resource.type="http_load_balancer" AND httpRequest.status>=500
HTTP Load Balancer requests to PHPMyAdmin	resource.type="http_load_balancer" AND httpRequest.request_url:"phpmyadmin"

Security queries

Query/filter name	Expression
Audit logs—all	logName:"cloudaudit.googleapis.com"
Audit logs- Access Transparency (AXT)	log_id("cloudaudit.googleapis.com/access_transparency")
Audit logs- Admin Activity	log_id("cloudaudit.googleapis.com/activity")
Audit logs- Data Access	log_id("cloudaudit.googleapis.com/data_access")
Audit logs- System Event	log_id("cloudaudit.googleapis.com/system_event")

Troubleshooting

For instructions about troubleshooting common issues when using the Logs Explorer, seeUsing the Logs Explorer: Troubleshooting.

What's next

For more information about the query syntax, which you can use to customize these queries, seeLogging query language.

For more information about querying in the Google Cloud console, seeBuild queries by using the Logging query language.