Simple Search Examples

Owned by Omry Koschitzky
Last updated: Jan 09, 2022 by Noga Aviram (Unlicensed)
5 min read

The following table contains examples of simple search queries:

Query

Explanation 

Query

Explanation 

 *

Searches in all logs for all log events.

Information

Searches in all logs for log events that contain the term Information.

Service Control Manager

Searches in all logs for log events that contain the phrase Service Control Manager.

“error is not caused by database”

Searches in all logs for log events that contain the exact phrase error is not caused by database.

Note: Quotes are usually used when the search term/phrase contains a saved word or one of the following key words used by the search syntax: ( ) = and or not in * ?

If this search query would not be enclosed in quotes, it would be misinterpreted as (error is) not (caused by database).

error or exception

Searches in all logs for log events that contain the term error or exception.

error or exception or fail*

Searches in all logs for log events that contain the term error or exception or any word beginning with fail (such as fail, fails, failed, failure) 

Service Control Manager OR Microsoft-Windows-Security-Auditing

Searches in all logs for log events that contain either of the following phrases: Service Control Manager or Microsoft-Windows-Security-Auditing.

Service Control Manager AND WinHTTP

Searches in all logs for log events that contain the phrase Service Control Manager and the term WinHTTP.

Service Control Manager AND NOT WinHTTP

Searches in all logs for log events that contain the phrase Service Control Manager but do not contain the term WinHTTP.

Service Control Manager and NOT (WinHTTP OR Multimedia)

Searches in all logs for log events that contain the phrase Service Control Manager but do not contain the term WinHTTP nor the term Multimedia

703? 

Searches in all logs for log events that contain the term 703, followed by a single character

Note: The ? symbol stands for any single character that appears in its location in the term; for example:7030, 7031, and 703A. The ? symbol can be placed anywhere in the search term (i.e. ?703, 70?3, 703?).

Ser*

Wild card usage; Searches in all logs for log events that contain the term Ser, followed by zero or more characters.

Note: The * symbol stands for zero or more characters that appear in its location; for example: Ser, Server, and Service. The * symbol can be placed anywhere in the search term (i.e. *Ser, Se*r, and Ser*)

Type = Information

Searches in all logs for log events in which the value in column Type is the term Information.

Type != Information

Searches in all logs for log events in which the value in column Type is not the term Information

Type contains Information

Searches in all logs for log events in which the value in column Type contains the term Information.

Type contains Informatio?

Searches in all logs for log events in which the value in column Type contains the term Informatio, followed by a single character.

Type contains Inform*

Searches in all logs for log events in which the value in column Type contains the term Info, followed by zero or more characters.

URL contains (/website/moe/html and *_304_*)

Searches in all logs for log events in which the value in column URL contains the term /website/moe/html and a word which contains the text _304_.

error and method contains *java.lang* 

Searches for events containing error and in the log field method a word which contains the text java.lang.

Note: A log field named method is required.

priority = FATAL

Searches the log field priority for the value FATAL.

Note: A log field named priority is required.

message = NULL

Searches the log field message for an empty value.

Note: A log field named message is required.

message != NULL

Searches the log field message for a nonempty value.

Note: A log field named message is required.

error and message contains connection

Searches for log events that contain error and the word connection in the log field message.

Note: A log field named message is required. 

error and not (message contains NullPointerException)

Searches for log events that contain error and do not contain NullPointerException in the log field message.

Note: A log field named message is required.

lineNumber < 1000

Searches in all logs for log events in which the numeric value in column lineNumber is less than 1000

Note: A numeric log field named lineNumber is required. Additional numeric operators: >  =  !=

lineNumber > 1000 AND lineNumber < 2000

Searches in all logs for log events in which the numeric value in column lineNumber is greater than 1000 and less than 2000.

* in log.Application

Searches in all logs that are named Application, for all log events.

Note: The * can be replaced with any valid search query.

 * in log.NAME

Searches in all logs that are named NAME, for all log events.

Note: The * can be replaced with any valid search query.

error or exception or fail* in log.LOG_NAME_1, log.LOG_NAME_2, …, log.LOG_NAME_N

Searches for log events containing error or exception or a term beginning with fail, in all logs named LOG_NAME_1, LOG_NAME_2,..., LOG_NAME_N.

 * in folder.NAME

Searches in all folders that are named NAME, for all log events.

Note: The * can be replaced with any valid search query.

 error or exception or fail* in folder.FOLDER_NAME_1, folder.FOLDER _NAME_2, …, folder.FOLDER _NAME_N

Searches for log events containing error or exception or a term beginning with fail, in all logs that are under folders named FOLDER_NAME_1, FOLDER_NAME_2,..., FOLDER_NAME_N 

 * in app.NAME

Searches in all applications that are named NAME (provided the application is tagged), for all log events.

Note: The * can be replaced with any valid search query.

error or exception or fail* in app.APP_NAME_1, app.APP _NAME_2, …, app.APP _NAME_N

Searches for log events containing error or exception or a term beginning with fail, in all logs that are under applications named APP_NAME_1, APP_NAME_2,..., APP_NAME_N  (provided the applications are tagged). 

* in server.NAME

Searches in all servers that are named NAME, for all log events.

Note: The * can be replaced with any valid search query.

 error or exception or fail* in server.SERVER_NAME_1, server.SERVER _NAME_2, …, server.SERVER _NAME_N

Searches for log events containing error or exception or a term beginning with fail, in all logs that are under servers named SERVER_NAME_1, SERVER_NAME_2,..., SERVER_NAME_N.

* in log.Application, log.System

Searches in all logs that are named either Application or System, for all log events 

* in log.Application in folder.Windows Event Logs

Searches in all logs that are named Application and are located under folders that are named Windows Event Logs, for all log events.

Note: All types of selectors can be combined, i.e. in log.NAME in server.NAME, in folder.NAME in application.NAME, and more.

error or exception in folder.cloudappserver1

Searches in all folders named cloudappserver1 for all log events containing the term error or the term exception.

ThreadId=00000027 in folder.cloudappserver1

Searches in all folders named cloudappserver1 for all log events with the exact value 00000027 in the field ThreadId.

regexp: \d\d\d

Regular expression usage – search for a 3 digit number.

not (url contains (.gif or .jpg or .png or .css or .js)) in log.access

Search for URLs that don't contain images, CSS files and Javascript in the log access.