Logs are messy, especially in cloud-native systems where structure is an afterthought. CtrlB was built for that reality; its schema-less, on-demand data lake lets you search anything. But just because you can throw everything into a query doesn't mean you should.

Query optimisation isn’t about limiting your power; it’s about getting to the answer faster. Whether you’re debugging a spike in status 500 requests, tracing a flaky deployment, or chasing an elusive edge-case bug, how you write your query directly impacts how quickly you get clarity.

Here’s how to do it well:

1. Think Narrow First, Broad Later

The biggest mistake engineers make is starting broad:

error

It technically works, but it’s slow, noisy, and rarely actionable. Instead, lead with what you already know: the service, environment, log level, and status code. Narrow first with filters; you’ll make both engine and brain work less.

Example:

service="auth" AND env="prod" AND level="error"

This approach lets the engine prune irrelevant data before diving into a more expensive text search.

Query Example

body contains “error”

Result: Slow, noisy, overwhelming

Query Example

service="auth" AND env="prod" AND level="error" AND "token expired"

Result: Focused, fast, actionable

2. Embrace Structure, Even in Unstructured Logs

Your logs may not have a strict structure, but CtrlB parses fields on the fly, so use them! Query with fields like status, user_id, or request_path. You don’t need to clean or pre-index logs in advance. Treat logs more like a database: query with fields, not just strings.

Pro Tip: Use the Attributes Panel to auto-add fields to your query. Check the boxes next to fields (like status=500), and CtrlB automatically groups and connects them for you. No typos, no guesswork, just relevant filters.

3. Avoid Accidental Full Scans

Wildcards and NOT logic are tempting but expensive:

• timeout → forces full-text scan, slows everything down.
• status != 200 → no pre-filtering; checks every log entry.

Phrase your logic to say what you want, not just what you don’t want.

Example:

• Rather than: status != 200
• Prefer: status = 500 OR status = 404
  

4. Use Specificity for Diagnosis

When drilling into an issue, be surgical:

service="auth" AND env="staging" AND level="error" AND "unauthorized"

Start with the broadest field filters you know, then add specific terms as you learn more.

5. Time Ranges Are Everything

Logs accrue fast. Searching “everything” means scanning terabytes, unscalable! Always scope your query to a relevant time window.

@timestamp > now - 30m

Narrow your time window whenever possible. Ask: When exactly did this happen? Zoom in accordingly.

Pro Tip: CtrlB’s bar-graph timeline makes this even easier. Drag across a spike or dip to instantly set your query time range, speeding up RCA.

6. Trace It Back

One of CtrlB’s superpowers is trace-log correlation. When a log looks suspicious, click into its trace to see the upstream and downstream context, other services, related logs, and response times. Instead of running 10 separate queries, one trace might answer them all.

Pro Tip: In the Side Panel, open the “Surrounding” tab to view the five logs immediately before and after your selected entry, perfect for finding root causes or effects in event chains.

7. Explore & Customise Your Results

After running a query:

• Expand rows to see full log texts inline.
• Add columns for any field you care about (e.g., user_id, endpoint).
• Customise the Summary column to show combined key values (useful for scanning high-cardinality data at a glance).
  

Pro Tip: Most actions (add/remove filters, columns) can be done from the Side Panel with a single click (+ to add a filter, – to exclude, table icon to add a column)

8. Stay Synced and Collaborate

CtrlB keeps panels, filters, and tables in sync. Save queries, copy dashboard permalinks, and share context instantly with your team for faster triage and learning. For sensitive data, fine-grained access controls in Settings keep your logs secure and your audit posture tight.

Quick Checklist: Smarter Querying in CtrlB

• Start with fields, not keywords.
• Always set a reasonable time range.
• Phrase logic for what you want, not just what you don’t.
• Leverage UI tools to save time and reduce errors.
• Share the knowledge: save queries, share links, and collaborate securely.
  

Final Thought:
Great queries are like great questions: specific, contextual, and always refined by what you already know. Optimizing your approach in CtrlB gets you to answers faster and helps your team improve, together.