Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Search Query Panel user interface includes the following elements:

 

ElementDescription
Image RemovedImage Added / Image Removed Image AddedClose/Open Augmented Search.
By default, the Augmented Search Pane is open. Clicking the Image Removedthe Image Added button closes the pane; clicking the Image Removedthe Image Added button opens the pane.
Image RemovedImage Added / Image Removed Image Added

Search Status icon

Image RemovedImage Addedindicates that the search is in progress; Image Removed Image Addedindicates that the search is complete.

Search Query Area for typing a simple or complex search query, or for activating a saved search query.
Actions

Opens a menu, which provides the following actions that can be performed on the search:

  • Save Search – selecting this item saves the search query in the system.
  • Save Monitor – selecting this item saves the search query as a monitor.
  • Export to PDF – selecting this item saves the search query and results in a PDF file.
 Image RemovedImage Added

Search Options icon

Clicking this icon displays a window with four tabs:

  • Search History – selecting this tab opens a window that displays your recent and popular searches.
  • Saved Searches – selecting this tab opens a window with a listing of the names of the searches that you saved.
  • Simple Search Syntax – this tab is open when the window is displayed; it lists the syntax that you can use to formulate a simple search.
  • Complex Search Syntax – selecting this tab opens a window which lists the syntax that you can use to formulate a complex search.
Time Period

Enables searching for events that occurred in occurred during a specific time period.

Selectable time periods include:

  • The entire time that the log exists: All time
  • Predefined time periods: Last hour, Last 12 hours, Last 24 hours, Last 3 days, Last 7 days, Last 2 weeks, Last 3 weeks, Last 4 weeks, Last 3 months, Last 6 months, Last 12 months
  • Customized time periods: Custom
Go buttonClicking this button commences the commences a search. 

 Simple Search Syntax

...

TypeDescription

Boolean 

ANDA and B match matches events that contain A and B.

ORA or B match matches events that contain A or B.

NOT – A and NOT (B or C) match matches events that contain A but not B or C

Quotation Marks

Used to get an exact match of a term. Recommended when there is a key word (such as ( ), =, and, or, not, in, *, ?) within a searched term.

Example: "connection(1234) failure" -> returns events with an exact match to connection(1234) failure.

Parentheses

Used to unify a term result or to create precedence within search queries.

Examples:

a or (b in folder.my_folder) -> search searches for events that contain a, or events that contain b in sub folders and logs under the folder my_folder.

a or b in folder.my_folder -> search searches for events that contain a or b in sub folders and logs under the folder my_folder.

a and b or c -> precedence to the key word and, this term is equivalent to (a and b) or c.

a and (b or c) -> precedence to b or c;  its result and a.

 WildcardsMay be placed anywhere in a search term:

**foo, foo*, f*oo, *foo*, *f*o*o* (* represents any characters, 0 or more times)

??oo, fo?, f? o (? represents any character, exactly one time)
Search in a specific log/folder/application/server

Searches for a term in a specified log, folder, application, or server.

Examples:

error in log.my_log -> search searches for error only in logs whose name is my_log.
error in log.my* -> search searches for error only in logs whose name starts with my.

error in folder.my_folder -> search searches for error only in logs under folders whose name is my_folder.
error in folder.my* -> search searches for error only in logs under folders whose name starts with my.

error in host.my_host -> search searches for error only in logs whose source name is my_host.
error in host.my* -> search searches for error only in logs whose source name starts with my.
host.my_host is equivalent to server.my_host.

error in app.my_app -> search searches for error only in logs associated to applications whose name is my_app.

error in app.my* -> search searches for error only in logs associated to applications whose name starts with my.
app.my_app is equivalent to application.my_app.

Column-based Search

Searches for events that have a specific value in a specific column of the log.

Examples:

column_name=search_value -> search searches for events that have a column named column_name whose value is equal to search_value (relevant only for logs that have a column with that name).

column_name=search_value in log.my_log -> search searches for events in the log my_log that have a column column_name whose value is equal  to search_value (relevant only if the log has a column with that name).

column_name contains search_value -> search searches for events that have a column named column_name whose value contains search_value (relevant only to logs that have a column with that name).

column_name contains search_value in log.my_log -> search searches for events in the log my_log, which have a column column_name whose value contains  search_value (relevant only if the log has a column with that name).

 Regular expression search

Searches in events for values represented by regular expressions.

Example:

regexp:\d+ in log.access -> search searches for numbers in events.

 Activate saved search

Activates a search that you previously saved.

search.search_name -> execute executes the saved search called search_name.

...