Filtering Logs¶
quellog provides filtering to analyze specific subsets of PostgreSQL logs.
Input Sources¶
Log Files¶
Analyze log files from disk:
Standard Input¶
Read logs from stdin using -:
# From a pipe
tail -f /var/log/postgresql/postgresql.log | quellog -
# From command output
kubectl logs postgres-pod | quellog -
# From bzip2 archives (gzip handled natively)
bzcat logs.bz2 | quellog -
Format detection works automatically for stdin.
Time-Based Filtering¶
--begin¶
Analyze entries after a specific datetime.
Format: YYYY-MM-DD HH:MM:SS
--end¶
Analyze entries before a specific datetime.
Format: YYYY-MM-DD HH:MM:SS
Time Window¶
Combine --begin and --end for a specific time range:
# 1-hour window
quellog /var/log/postgresql/*.log \
--begin "2025-01-13 14:00:00" \
--end "2025-01-13 15:00:00"
Use the same timezone as your PostgreSQL logs.
--last (-L)¶
Analyze the last N duration from now. Automatically sets end time to now and begin time to now minus the duration.
# Last hour
quellog /var/log/postgresql/*.log --last 1h
# Last 30 minutes
quellog /var/log/postgresql/*.log --last 30m
# Last 24 hours
quellog /var/log/postgresql/*.log -L 24h
# Last 2 hours and 15 minutes
quellog /var/log/postgresql/*.log --last 2h15m
Valid duration units: h (hours), m (minutes), s (seconds).
Note: --last cannot be combined with --begin, --end, or --window.
Use Cases¶
| Scenario | Command |
|---|---|
| Recent production issue | --last 1h |
| Daily morning review | --last 24h |
| Real-time monitoring | tail -f *.log \| quellog - --last 5m |
| Specific time range | --begin "..." --end "..." |
Attribute-Based Filtering¶
--dbname (-d)¶
Filter by database name. Can be specified multiple times.
# Single database
quellog /var/log/postgresql/*.log --dbname production
# Multiple databases
quellog /var/log/postgresql/*.log --dbname app_db --dbname analytics_db
--dbuser (-u)¶
Filter by database user. Can be specified multiple times.
# Single user
quellog /var/log/postgresql/*.log --dbuser app_user
# Multiple users
quellog /var/log/postgresql/*.log --dbuser app_user --dbuser batch_processor
--appname (-N)¶
Filter by application name. Can be specified multiple times.
# Single application
quellog /var/log/postgresql/*.log --appname web_server
# Multiple applications
quellog /var/log/postgresql/*.log --appname api_server --appname background_worker
--exclude-user (-U)¶
Exclude specific users from analysis. Can be specified multiple times.
# Exclude monitoring users
quellog /var/log/postgresql/*.log --exclude-user health_check --exclude-user powa
Combining Filters¶
All filters can be combined:
# Production database, specific user, during business hours
quellog /var/log/postgresql/*.log \
--dbname production \
--dbuser app_user \
--begin "2025-01-13 09:00:00" \
--end "2025-01-13 17:00:00"
# Multiple databases, exclude monitoring, specific time window
quellog /var/log/postgresql/*.log \
--dbname app_db \
--dbname analytics_db \
--exclude-user powa \
--exclude-user temboard \
--begin "2025-01-13 00:00:00" \
--end "2025-01-13 23:59:59"
Filter Logic¶
- Multiple values of the same type use OR logic
--dbname db1 --dbname db2matches db1 OR db2- Different types use AND logic
--dbname production --dbuser app_usermatches production AND app_user
Example: --dbname db1 --dbname db2 --dbuser user1 matches entries where database is (db1 OR db2) AND user is user1.
Next Steps¶
- Filter report sections to display only specific sections
- Understand the default report output
- Analyze SQL performance with filters