Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A simple search
  • A complex search   
  • A search from the search history
  • A saved search

 

Simple Search Syntax

 The following table summarizes the simple search syntax:

 

TypeDescription

Boolean 

AND – A and B match events that contain A and B

OR – A or B match events that contain A or B

NOT – A and NOT (B or C) match events that contain A but not B or C 

Quotation Marks

Used to get an exact match of a term. Recommended when there is a key word (such as ( ), =, and, or, not, in, *, ?) within a searched term.

Example: "connection(1234) failure" -> returns events with an exact match to connection(1234) failure.

Parentheses

Used to unify a term result or to create precedence within search queries.

Examples:

a or (b in folder.my_folder) -> search for events that contain a, or events that contain b in sub folders and logs under the folder my_folder

a or b in folder.my_folder -> search for events that contain a or b in sub folders and logs under the folder my_folder

a and b or c -> precedence to the key word and, this term is equivalent to (a and b) or c

a and (b or c) -> precedence to b or c;  its result and a

Graph Area

Displays a graphic distribution of the events resulting from the search query.

 WildcardsMay be placed anywhere in a search term:

* – *foo, foo*, f*oo, *foo*, *f*o*o* (* represents any characters, 0 or more times)

? – ?oo, fo?, f? o (? represents any character, exactly one time)
 Search in specific log/folder/application/server

Search for a term in a specified log, folder, application, or server.

Examples:

error in log.my_log -> search for error only in logs whose name is my_log.
error in log.my* -> search for error only in logs whose name starts with my.

error in folder.my_folder -> search for error only in logs under folders whose name is my_folder.
error in folder.my* -> search for error only in logs under folders whose name starts with my.

error in host.my_host -> search for error only in logs whose source name is my_host.
error in host.my* -> search for error only in logs whose source name starts with my.
host.my_host is equivalent to server.my_host.

error in app.my_app -> search for error only in logs associated to applications whose name is my_app.

error in app.my* -> search for error only in logs associated to applications whose name starts with my.
app.my_app is equivalent to application.my_app.

Comparison Search (in a specific log column)

Search for events that have a specific column of a specific value.

Examples:

column_name=search_value -> search for events that have a column named column_name whose value equals search_value (relevant only for logs that have a column with that name).

column_name=search_value in log.my_log -> search for events in the log my_log that have a column column_name whose value equal  to search_value (relevant only if the log has a column with that name).

column_name contains search_value -> search for events that have a column named column_name whose value contains search_value (relevant only to logs that have a column with that name).

column_name contains search_value in log.my_log -> search for events in the log my_log which have a column column_name whose value contains the search_value (relevant only if the log has a column with that name).

 Activate saved search

Activate a search that you previously saved.

search.search_name -> execute the saved search called search_name.