The text after events search / forwards search is a query over indexed fields. Scope with the --bucket / --forwarder flags — don’t put identifiers in the query (see Scope is enforced).
Request path. path: is rewritten to the indexed path_original — path:/stripe/webhook
response_status
Numeric HTTP response code — response_status:500
received_at
Ingest time (also the sort and --since/--until window field)
bucket_id, event_id
Stable identifiers (prefer --bucket for scoping)
request.*, response.*
Any JSON field in the captured body — request.type:charge.refunded
A bare word with no field: prefix searches the default fields only — path_original, request.body, response.body — not every field.
Don’t use status: in a query. The query layer rewrites it to a nested response.status field that won’t match the indexed response code. Use response_status: for the HTTP code on events search, and --failed to filter failed deliveries on forwards search.
Use flags for the common cases rather than query fields:
Flag
Filters by
--forwarder / -f
Forwarder ID, or name (name also requires --bucket)
--bucket / -b
Bucket slug or ID
--event
A single event_id
--failed
Failed deliveries — the reliable failure filter
--since / --until
Time window (RFC3339 or a duration like 1h)
--failed is the correct way to find failures. A free-text status:FAILED is rewritten and will not match the delivery status field. Default bare-word search covers path_original, target_url, request.body, response.body, and error_message.
expect and tail watch events as they arrive, before they’re indexed. They take a small, exact-match filter — not the search grammar above.
Flag
Matches
--bucket / -b
Bucket slug or ID (required)
--path
Path, shell-glob style (--path '/stripe/*')
--method
HTTP method (case-insensitive)
--filter
A field:value term over method, path, content_type, event_id, bucket_id
Wildcards in --path use shell-glob matching (*, ?, […]) against the literal path — different from the tokenized wildcards of indexed search. Usage is covered in Wait for events.
events search, forwards search, and the list commands paginate with --cursor. Read the cursor off each response and pass it back to get the next page.
Forward-only. Each response carries next_cursor; there is no backward cursor. Stop when has_more is false.
Bound to the query and window. The cursor encodes a hash of the exact query plus --since/--until. Change the query, bucket, forwarder, or window and the old cursor is rejected with validation_failed — “stale or invalid cursor; re-run the search.”
Replayable, not single-use. A cursor has no expiry or one-time semantics — re-sending it returns the same page. Treat it as “page N of this exact query,” not a token you can only spend once.