The search syntax is very close to the Lucene syntax. By default all message fields are included in the search if you don’t specify a message field to search in.

Messages that include the term ssh :

Messages that include the term ssh or login :

Messages that include the exact phrase ssh login :

Messages where the field type includes ssh :

Messages where the field type includes ssh or login :

Messages where the field type includes the exact phrase ssh login :

Messages that have the field type :

Messages that do not have the field type :


Elasticsearch 2.x allows to use instead of . This query syntax has been removed in

By default all terms or phrases are OR connected so all messages that have at least one hit are returned. You can use Boolean operators and groups for control over this:

Boolean operators and groups

You can also use the NOT operator:

Note that AND, OR, and NOT are case sensitive and must be typed in all upper-case.

Wildcards: Use ? to replace a single character or * to replace zero or more characters:


Note that leading wildcards are disabled to avoid excessive memory consumption! You can enable them in your Graylog configuration file:

Note that leading wildcards are disabled to avoid excessive memory consumption!

Also note that message , full_message , and source are the only fields that are being analyzed by default. While wildcard searches (using * and ? ) work on all indexed fields, analyzed fields will behave a little bit different. See wildcard and regexp queries for details.

Fuzziness: You can search for similar terms:


This example is using the Damerau–Levenshtein distance with a default distance of 2 and will match “ssh login” and “” (intentionally misspelled in the query).

You can change the distance like this:

You can also use the fuzzyness operator to do a proximity search where the terms in a phrase can have different/fuzzy distances from each other and don’t have to be in the defined order:


Numeric fields support range queries . Ranges in square brackets are inclusive, curly brackets are exclusive and can even be combined:

As the process evolves, the ST segment elevation diminishes and the T waves invert. With an inferior myocardial infarction, it may require two weeks for the ST segments to return to the isoelectric line. ST segment elevation in the anterior chest leads may take even longer to resolve. T waves may remain inverted for months and, occasionally, the change is permanent. When the T waves initially invert they do so in a characteristic symmetrical fashion. If the T wave remains inverted indefinitely, the shape tends to become asymmetric.

ST segment depression may be apparent in leads remote to the area of acute infarction with ST segment elevation; this ST segment depression is termed reciprocal change (fig 15). Reciprocal changes occur in as many as 80% of patients with ST segment elevation and the degree of depression is frequently proportional to the degree of ST segment elevation. The reciprocal depression is usually most marked early in the disease process and resolves within 24 hours of the onset of symptoms in at least 50% of patients. The pathogenesis of reciprocal change is uncertain, perhaps involving inverse or reciprocal ST segment change from the area with acute infarction manifested by ST segment elevation. When seen in leads orientated at approximately 180 degrees to the area of infarction, these changes are thought to represent a “mirror image” of the injury pattern, hence the term “reciprocal”. This observation may be the explanation for the ST segment depression seen in lead aVL (−30 degrees) in association with ST segment elevation in lead III (+120 degrees), as these electrodes are directed opposite to each other. Reciprocal changes are most commonly seen with inferior myocardial infarction 4 where ST segment depression may be found in the right precordial chest leads (V1–V4). Here, the “mirror image” explanation is less convincing, especially when it is appreciated that the mean frontal plane (limb leads) and the horizontal plane (chest leads) have vectors which are oriented 90 degrees to each other. The pathogenesis of reciprocal changes has yet to be fully explained. “Mirror image” change may be one explanation, but it has also been shown that ST segment depression may occur as a result of ischaemia in an unrelated arterial territory; alternatively, reciprocal change may also result from extension of the infarction. Thus, ST segment depression in the right sided chest leads associated with an acute inferior myocardial infarction may be the result of posterior extension of the injury or ischaemia in the territory supplied by the left anterior descending artery.

Regardless of their cause, patients with an ECG demonstrating reciprocal changes have higher complication rates during the acute phase of their AMI and may gain particular benefit from thrombolysis. 8 11 Furthermore, the presence of reciprocal changes on the ECG is a highly sensitive indicator of AMI, with positive predictive values greater than 90%. An awareness of the significance of reciprocal changes can lead to greatly improved diagnostic accuracy, and is especially useful in patients with chest pain and ST segment elevation of uncertain cause, as seen in case 5 (fig 6).

Consider the following example. A user of a mapping application is zoomed in to the extent of Sydney, Australia, and types coffee in a search box.

Example: Using the isCollection property

In this example, note that isCollection = true for the first suggestion item Coffee Shop . The text and magicKey for this item correspond to a search for places of POI category Coffee Shop within approximately 5,000 meters of a location in Sydney, Australia. The text and magicKey combinations of the rest of the items, for which isCollection = false , represent the names of coffee shops that are within 5,000 meters of the location.

When the text and magicKey combination of the item for which isCollection = true is sent to the geocoding service in a
request, with maxLocations = 10 , several different coffee shops are returned.

Example: Using suggest result in a
request when isCollection=true

findAddressCandidates JSON response

It is important to note that if maxLocations=10 had not been explicitly passed in the For Cheap Baolite 2 color comfort Camouflage Sports running men Shoes View F09JMX21
request, then up to 50 candidates would have been returned, because the findAddressCandidates operation returns all matching candidates (up to the maximum allowed by the service) in the absence of the maxLocations parameter. Also note that the JSON response shown here has been truncated to preserve space.

If the text and magicKey combination of any of the items for which isCollection = false are passed in a findAddressCandidates request, only a single candidate is returned.

Example: Using suggest result in a findAddressCandidates request when isCollection=false

A developer can use the isCollection property to properly handle cases such as this in their application. Specifically, for cases where isCollection = true , the maxLocations parameter should be included in the corresponding findAddressCandidates request and set to 5 or greater. Often, there are more than 5 or even 10 matches for such cases, so consider implementing pagination in the application in order to show the user more results. For cases in which isCollection = false , the maxLocations parameter should be set to 1 .

