Simple Searches
XpoSearch enables you to retrieve specific events from indexed event logs, by creating a search query using the XpoSearch search syntax, and then running the search. This is an extremely useful tool for investigating the cause of problems in your system. Also, you can limit any search to events that occurred during a specific time period.
Selecting the Search Time Period
Time plays a very important role in the examination of the cause of a system problem.
Although you can run a search on events that occurred at any time, this wastes system resources, and usually results in an overwhelming number of events that are difficult for you to manage and analyze.
Therefore, XpoSearch enables you to run a search on a specific time period, so that you can narrow your results, and facilitate determining the root cause of the problem. You can select a predefined time period, or customize the time period by selecting the start and end dates and times of the time period.
To select the time period of the search:
In the Search Query Panel, in the Search Time Range textbox, click the down arrow.
A list of selectable time periods opens.From the list of time periods, select a predefined time period (All Time (all times in the log), Last 15 Minutes, Last 30 Minutes, Last 60 Minutes, Last 3 Hours, Last 12 Hours, Last 24 Hours, Last 7 Days, Last 14 Days, Last 1 Month, Last 3 Months, Last Week, This Week, Yesterday, or Today), or select Custom to specify your own time period (see Customizing the Search Time Period for a detailed explanation on customizing the time period).
The selected time period is displayed in the textbox, and the search runs on this time period.
Creating a Search Query
You can create a search query using the search syntax supplied by XpoLog for simple searches:
Simple terms search
Boolean search
Search with wildcards
Comparison search
Search in a specific log, folder, application, or server
Activate a saved search by its name
Searching for Simple Terms
The simplest type of search is one that searches for terms in your log events. This includes the following:
Searching for a single word that appears anywhere in the event.
Example: Typing error searches for all events containing the word error.Searching for two or more words that appear in an event, exactly in the order that you typed them.
Example: Typing error log only searches for events having the words error and log adjacent to each other in the event.Searching for keywords in an event – by enclosing the words in quotes. These keywords can be Boolean operators or saved words.
Example: If you want to search for the word NOT in an event, and do not want it to be misinterpreted as the Boolean operator NOT, you should enclose it in quotes: "NOT".
XpoSearch also provides the autocomplete feature. As you type the search query, a dropdown list of other search queries that you have created in the past and that begin with these characters is displayed, as relevant. If one of these search queries is the one that you want to run, you can simply select it instead of retyping the entire search query.
Boolean Search
XpoLog provides three Boolean operators for your use: OR, AND, NOT, evaluated in a search query in that order. These operators must be capitalized. It is also possible to change the default order of precedence, by enclosing in parenthesis the part of the search term that you want to perform first.
Example: Searching for end process OR start process returns all events containing either the phrase end process or the phrase start process.
Note: If you want to search in an event for any words that are the same as Boolean operators, you should enclose them in quotes, so that they are not misunderstood for the Boolean operator.
Searching with Wildcards
XpoSearch provides two wildcards:
? – used in a search term to represent a single alphanumeric character.
Example: Typing http ?00 retuns http 100, http 200, ...,and http 900. It does not return http 2000, as the ? only replaces a single character.
* – used in a search term to represent zero to any number of any alphanumeric characters. A search term which only includes an * returns all events, up to the maximum allowed by the system.
Example: Typing http *00 returns all events beginning with http and ending with 00, such as http 300, http 3000, and http 500.
Searching in a Specific Log/Folder/AppTag/Server
XpoSearch enables searching events in all event logs of the system, regardless of their source, or only in event logs that come from a specific source, as follows:
Log – a specific log
Folder – logs in a specific folder
AppTag – logs of a specific application
Server – logs from a specific server
It is also possible to exclude sources by using NOT before the IN key word. Note that first the “included” sources should be specified, and then the excluded sources.
Search in multiple sources or exclude source by specifying a comma separated list.
Examples:
Running a search for error in log.my_log returns events only from the log named my_log that include the word error, regardless of where this log resides.
Running a search for error in log.X in folder.Y returns events only from event log X that resides in folder Y.
Running a search for error in log.X, log.Y returns events from event log X and event log Y, regardless of where they reside.
Running a search for error in folder.XPLG not in log.xpologlog, log.memory returns events from all logs that reside in folder XPLG but not from the logs xpologlog and memory.
Running a search for error in folder.XPLG not in folder.dump returns events from all logs that reside in folder XPLG but logs that do not reside under the dump folder.
Column-based Search
You can run a column-based search on event data, to extract only those events which have a specific column that meets the comparison criteria. This is done by creating a search that compares a specific column to a specific value, using the comparison operators defined in the following table.
Operator | Definition |
---|---|
= | Equals column_name = x returns all events with column_name value exactly equal to x. |
!= | Not equals column_name != x returns all events with column_name value not equal to x. |
> | Greater than; for numerical fields only column_name > x returns all events with column_name value greater than x. |
< | Less than; for numerical fields only column_name < x returns all events with column_name value less than x. |
contains | Used for checking if a column contains a specific value column_name contains x returns all events that contain in column_name the value x. |
NULL | Used to find empty or populated columns column_name = NULL returns all events that have no value in column_name. column_namereturns all events that have a value in column_name. |
NOT | Used to exclude events that have a specific value in a specific column NOT (column_name contains error) returns all events that do not have error in column_name. |
Example: Typing Priority != Error returns all events that do not have the value Error in the Priority column.
Regular Expression Search
XpoLog enables you to search in events for values matching a regular expression pattern.
There are 2 ways to search based on a regular expression:
Simple regular expression search:
The simple regular expression search is limited to a complete match of the regular expression term in the data - partial values will not be detected.
Specify the keyword regexp following a colon and enter the regular expression to search
regexp: [REGULAR_EXPRESSION]
For example: regexp:\d+ in log.access --> will return all events that contain numbers.Advanced regular expression:
This function allows a much more comprehensive regular expression based search:
<search_query> | regexext ([REGULAR_EXPRESSION]) <optional_comma_separated_columns>
<optional_comma_separated_columns> = a comma separated list of log columns names to search only in them.
The result will show the matched value(s), the complete event where the value is at, and details of the the log (source server, apptag, log, folders and logs path, etc.).
Note that XpoLog is looking for an exact match (=) in one of the log columns and not partial match (contains). To use contains wrap the regular expression with .* before and after the desired regular expression to be found.For example:
* in log.access | regexext (\d+\.\d+\.\d+\.\d+) --> will return all events which one of their fields matches an IP address.
* in log.access | regexext (.*\d+\.\d+\.\d+\.\d+.*) --> will return all events which one of their fields containing an IP address.
Example: Typing regexp:\d+ in log.access searches for numbers in events.
Searching Special Chars in a Search
XpoLog enables you to search special characters in the search:
Wrap the searched term with "quotes"
Use backslash (\) before a specific char to be treated as textual value to be searched
Example: If the message contains a special char like {} it can be searched by \{\} in log.LOG_NAME.
Combined Searches
XpoLog supports running different specific queries on different log(s).
This option may be used when searching for specific values in specific log(s) and other specific values in other log(s). Multiple queries are supported by separating different search queries by OR:
<search_query_1> in log/folder/server/apptag.<name> OR <search_query_2> in log/folder/server/apptag.<name> OR <search_query_3> in log/folder/server/apptag.<name>
Activating a Saved Search
XpoLog enables you to save any search query so that you can easily run it at a later time. You can either activate the saved search by selecting its name from a list of saved searches (see Running a Saved Search) or you can type search.search_name in the search query to run the saved search called search_name.
Example: Typing search.error_search activates the saved search named error_search.