Log Search

Log Explorer enables you to store and explore your Cloudflare logs directly within the Cloudflare dashboard or API, giving you visibility into your logs without the need to forward them to third-party services. Logs are stored on Cloudflare's global network using the R2 object storage platform and can be queried via the dashboard or SQL API.

SQL queries supported

The diagram below displays the example sql grammar for SELECT statements as a railroad syntax diagram:

Any path from left to right forms a valid query. There is a limit of 25 predicates in the WHERE clause. Predicates can be grouped using parenthesis. If the LIMIT clause is not specified, then the default limit of 10,000 is applied. The maximum number for the LIMIT clause is 10,000. Results are returned in descending order by time.

Examples of queries include:

SELECT * FROM table WHERE (a = 1 OR b = "hello") AND c < 25.89
SELECT a, b, c FROM table WHERE d >= "GB" LIMIT 10

SELECT

The SELECT clause specifies the columns that you want to retrieve from the database tables. It can include individual column names, expressions, or even wildcard characters to select all columns.

FROM

The FROM clause specifies the tables from which to retrieve data. It indicates the source of the data for the SELECT statement.

WHERE

The WHERE clause filters the rows returned by a query based on specified conditions. It allows you to specify conditions that must be met for a row to be included in the result set.

GROUP BY

The GROUP BY clause is used to group rows that have the same values into summary rows.

ORDER BY

The ORDER BY clause is used to sort the result set by one or more columns in ascending or descending order.

LIMIT

The LIMIT clause is used to constrain the number of rows returned by a query. It is often used in conjunction with the ORDER BY clause to retrieve the top N rows or to implement pagination.

Use Log Explorer

You can filter and view your logs via the Cloudflare dashboard or the API.

Log in to the Cloudflare dashboard ↗ and select your account.
Go to Log Explorer > Log Search.
Select the Dataset you want to use and in Columns select the dataset fields. If you selected a zone scoped dataset, select the zone you would like to use.
Enter a Limit. A limit is the maximum number of results to return, for example, 50.
Select the Time period from which you want to query, for example, the previous 12 hours.
Select Add filter to create your query. Select a Field, an Operator, and a Value, then select Apply.
A query preview is displayed. Select Custom SQL to change the query.
Select Run query when you are done. The results are displayed below within the Query results section.

For example, to find an HTTP request with a specific Ray ID, go to Custom SQL, and enter the following SQL query:

SELECT
  clientRequestScheme,
  clientRequestHost,
  clientRequestMethod,
  edgeResponseStatus,
  clientRequestUserAgent
FROM http_requests
WHERE RayID = '806c30a3cec56817'
LIMIT 1

As another example, to find Cloudflare Access requests with selected columns from a specific timeframe you could perform the following SQL query:

SELECT
  CreatedAt,
  AppDomain,
  AppUUID,
  Action,
  Allowed,
  Country,
  RayID,
  Email,
  IPAddress,
  UserUID
FROM access_requests
WHERE Date >= '2025-02-06' AND Date <= '2025-02-06' AND CreatedAt >= '2025-02-06T12:28:39Z' AND CreatedAt <= '2025-02-06T12:58:39Z'

Save queries

After selecting all the fields for your query, you can save it by selecting Save query. Provide a name and description to help identify it later. To view your saved and recent queries, select Queries — they will appear in a side panel where you can insert a new query, or delete any query.

Integration with Security Analytics

You can also access the Log Explorer dashboard directly from the Security Analytics dashboard. When doing so, the filters you applied in Security Analytics will automatically carry over to your query in Log Explorer.

Optimize your queries

All the tables supported by Log Explorer contain a special column called date, which helps to narrow down the amount of data that is scanned to respond to your query, resulting in faster query response times. The value of date must be in the form of YYYY-MM-DD. For example, to query logs that occurred on October 12, 2023, add the following to your WHERE clause: date = '2023-10-12'. The column supports the standard operators of <, >, and =.

Log in to the Cloudflare dashboard ↗ and select your account.
Go to Log Explorer > Log Search > Custom SQL.
Enter the following SQL query:

SELECT
  clientip,
  clientrequesthost,
  clientrequestmethod,
  clientrequesturi,
  edgeendtimestamp,
  edgeresponsestatus,
  originresponsestatus,
  edgestarttimestamp,
  rayid,
  clientcountry,
  clientrequestpath,
  date
FROM
  http_requests
WHERE
  date = '2023-10-12' LIMIT 500

Additional query optimization tips

Narrow your query time frame. Focus on a smaller time window to reduce the volume of data processed. This helps avoid querying excessive amounts of data and speeds up response times.
Omit ORDER BY and LIMIT clauses. These clauses can slow down queries, especially when dealing with large datasets. For queries that return a large number of records, reduce the time frame instead of limiting to the newest N records from a broader time frame.
Select only necessary columns. For example, replace SELECT * with the list of specific columns you need. You can also use SELECT RayId as a first iteration and follow up with a query that filters by the Ray IDs to retrieve additional columns. Additionally, you can use SELECT COUNT(*) to probe for time frames with matching records without retrieving the full dataset.

FAQs

Which fields (or columns) are available for querying?

All fields listed in Log Fields for the supported datasets are viewable in Log Explorer. For filtering, only fields with simple values, such as those of type bool, int, float, or string are supported. Fields with key-value pairs are currently not supported. For example, you cannot use the fields RequestHeaders and Cookies from the HTTP requests dataset in a filter.

Why does my query not complete or time out?

Log Explorer performs best when query parameters focus on narrower ranges of time. You may experience query timeouts when your query would return a large quantity of data. Consider refining your query to improve performance.

Why don't I see any logs in my queries after enabling the dataset?

Log Explorer starts ingesting logs from the moment you enable the dataset. It will not display logs for events that occurred before the dataset was enabled. Make sure that new events have been generated since enabling the dataset, and check again.

My query returned an error. How do I figure out what went wrong?

We are actively working on improving error codes. If you receive a generic error, check your SQL syntax (if you are using the custom SQL feature), make sure you have included a date and a limit, and that the field you are filtering is not a key-value pair. If the query still fails it is likely timing out. Try refining your filters.

Where is the data stored?

The data is stored in Cloudflare R2. Each Log Explorer dataset is stored on a per-customer level, similar to Cloudflare D1, ensuring that your data is kept separate from that of other customers. In the future, this single-tenant storage model will provide you with the flexibility to create your own retention policies and decide in which regions you want to store your data.

Does Log Explorer support Customer Metadata Boundary?

Customer metadata boundary is currently not supported for Log Explorer.

Was this helpful?

Community
X
Discord
YouTube
GitHub