Skip to main content
Version: 5.0

General information on working with search

Search query basics

Search query structure

Search queries are created based on the query language Search Anywhere Framework Language (SAFL), which has built-in functionality that helps create, analyze and manage the results obtained.

Queries in the Search Anywhere Framework use keywords and operators to form a chain of operations to retrieve, filter, aggregate, and analyze data. The main elements of a query are keywords, operators and functions.

Using Keywords and Operators

  1. Keywords to start searching

    • search: : used to start searching for data in indexes
    • |: the pipe is placed on a new line to separate each new piped section of your search criteria. It provides the results of one operation as input to it

  2. Filtering and sorting data

    • where: allows to filter rows by a specific condition
    • eval: enables to create new fields using existing fields and an arbitrary expression
    • sort: sorted the output is events in the sort ordered specify

  3. Aggregation functions

    • stats: generates a report that display summary statistics
    • aggs: allows you to create more complex data aggregations using various functions such as avg, sum, count and others. It is usually used with the by operator to group data by specific fields and apply aggregation to each group
    • timechart: generates a table of summary statistics. This table can then be formatted as a chart visualization, where your data is plotted against an x-axis that is always a time field

For more information about SAFL commands, see here.

Filters

  1. Filter by time

    • Time filters limit query results by time. This is important for data analysis

  2. Filtering by field values

    • Filtering conditions can be applied to specific fields to return only data that matches the query

Example:

source wineventlog
| search status="error"

  1. Using Boolean Operators to Search

    • SAF supports boolean operators AND, OR and NOT to create complex search queries

Example:

source wineventlog
| search status="error" AND host.ip != "172.19.0.101"

Search Tools: Effective Use

Built-in formatting engine makes working with SAFL easy. For more information, see formatted search.

Comments

Comments help isolate, highlight, and explain parts of a query. For more information, see adding comments.

Search history

Search history stores previously executed queries. For more information, see search history.