Simple Search Examples
The following table contains examples of simple search queries:
Query | Explanation |
---|---|
* | Searches in all logs for all log events. |
Information | Searches in all logs for log events that contain the term Information. |
Service Control Manager | Searches in all logs for log events that contain the phrase Service Control Manager. |
“error is not caused by database” | Searches in all logs for log events that contain the exact phrase error is not caused by database. Note: Quotes are usually used when the search term/phrase contains a saved word or one of the following key words used by the search syntax: ( ) = and or not in * ? If this search query would not be enclosed in quotes, it would be misinterpreted as (error is) not (caused by database). |
error or exception | Searches in all logs for log events that contain the term error or exception. |
error or exception or fail* | Searches in all logs for log events that contain the term error or exception or any word beginning with fail (such as fail, fails, failed, failure) |
Service Control Manager OR Microsoft-Windows-Security-Auditing | Searches in all logs for log events that contain either of the following phrases: Service Control Manager or Microsoft-Windows-Security-Auditing. |
Service Control Manager AND WinHTTP | Searches in all logs for log events that contain the phrase Service Control Manager and the term WinHTTP. |
Service Control Manager AND NOT WinHTTP | Searches in all logs for log events that contain the phrase Service Control Manager but do not contain the term WinHTTP. |
Service Control Manager and NOT (WinHTTP OR Multimedia) | Searches in all logs for log events that contain the phrase Service Control Manager but do not contain the term WinHTTP nor the term Multimedia. |
703? | Searches in all logs for log events that contain the term 703, followed by a single character Note: The ? symbol stands for any single character that appears in its location in the term; for example:7030, 7031, and 703A. The ? symbol can be placed anywhere in the search term (i.e. ?703, 70?3, 703?). |
Ser* | Wild card usage; Searches in all logs for log events that contain the term Ser, followed by zero or more characters. Note: The * symbol stands for zero or more characters that appear in its location; for example: Ser, Server, and Service. The * symbol can be placed anywhere in the search term (i.e. *Ser, Se*r, and Ser*) |
Type = Information | Searches in all logs for log events in which the value in column Type is the term Information. |
Type != Information | Searches in all logs for log events in which the value in column Type is not the term Information. |
Type contains Information | Searches in all logs for log events in which the value in column Type contains the term Information. |
Type contains Informatio? | Searches in all logs for log events in which the value in column Type contains the term Informatio, followed by a single character. |
Type contains Inform* | Searches in all logs for log events in which the value in column Type contains the term Info, followed by zero or more characters. |
URL contains (/website/moe/html and *_304_*) | Searches in all logs for log events in which the value in column URL contains the term /website/moe/html and a word which contains the text _304_. |
error and method contains *java.lang* | Searches for events containing error and in the log field method a word which contains the text java.lang. Note: A log field named method is required. |
priority = FATAL | Searches the log field priority for the value FATAL. Note: A log field named priority is required. |
message = NULL | Searches the log field message for an empty value. Note: A log field named message is required. |
message != NULL | Searches the log field message for a nonempty value. Note: A log field named message is required. |
error and message contains connection | Searches for log events that contain error and the word connection in the log field message. Note: A log field named message is required. |
error and not (message contains NullPointerException) | Searches for log events that contain error and do not contain NullPointerException in the log field message. Note: A log field named message is required. |
lineNumber < 1000 | Searches in all logs for log events in which the numeric value in column lineNumber is less than 1000. Note: A numeric log field named lineNumber is required. Additional numeric operators: > = != |
lineNumber > 1000 AND lineNumber < 2000 | Searches in all logs for log events in which the numeric value in column lineNumber is greater than 1000 and less than 2000. |
* in log.Application | Searches in all logs that are named Application, for all log events. Note: The * can be replaced with any valid search query. |
* in log.NAME | Searches in all logs that are named NAME, for all log events. Note: The * can be replaced with any valid search query. |
error or exception or fail* in log.LOG_NAME_1, log.LOG_NAME_2, …, log.LOG_NAME_N | Searches for log events containing error or exception or a term beginning with fail, in all logs named LOG_NAME_1, LOG_NAME_2,..., LOG_NAME_N. |
* in folder.NAME | Searches in all folders that are named NAME, for all log events. Note: The * can be replaced with any valid search query. |
error or exception or fail* in folder.FOLDER_NAME_1, folder.FOLDER _NAME_2, …, folder.FOLDER _NAME_N | Searches for log events containing error or exception or a term beginning with fail, in all logs that are under folders named FOLDER_NAME_1, FOLDER_NAME_2,..., FOLDER_NAME_N |
* in app.NAME | Searches in all applications that are named NAME (provided the application is tagged), for all log events. Note: The * can be replaced with any valid search query. |
error or exception or fail* in app.APP_NAME_1, app.APP _NAME_2, …, app.APP _NAME_N | Searches for log events containing error or exception or a term beginning with fail, in all logs that are under applications named APP_NAME_1, APP_NAME_2,..., APP_NAME_N (provided the applications are tagged). |
* in server.NAME | Searches in all servers that are named NAME, for all log events. Note: The * can be replaced with any valid search query. |
error or exception or fail* in server.SERVER_NAME_1, server.SERVER _NAME_2, …, server.SERVER _NAME_N | Searches for log events containing error or exception or a term beginning with fail, in all logs that are under servers named SERVER_NAME_1, SERVER_NAME_2,..., SERVER_NAME_N. |
* in log.Application, log.System | Searches in all logs that are named either Application or System, for all log events |
* in log.Application in folder.Windows Event Logs | Searches in all logs that are named Application and are located under folders that are named Windows Event Logs, for all log events. Note: All types of selectors can be combined, i.e. in log.NAME in server.NAME, in folder.NAME in application.NAME, and more. |
error or exception in folder.cloudappserver1 | Searches in all folders named cloudappserver1 for all log events containing the term error or the term exception. |
ThreadId=00000027 in folder.cloudappserver1 | Searches in all folders named cloudappserver1 for all log events with the exact value 00000027 in the field ThreadId. |
regexp: \d\d\d | Regular expression usage – search for a 3 digit number. |
not (url contains (.gif or .jpg or .png or .css or .js)) in log.access | Search for URLs that don't contain images, css files and javascript in the log access |