General information on working with search
Search query basics
Search query structure
Search queries are created based on the query language Search Anywhere Framework Language (SAFL)
, which has built-in functionality that helps create, analyze and manage the results obtained.
Queries in the Search Anywhere Framework use keywords and operators to form a chain of operations to retrieve, filter, aggregate, and analyze data. The main elements of a query are keywords, operators and functions.
Using Keywords and Operators
-
Keywords to start searching
search
: : used to start searching for data in indexes.|
: the pipe is placed on a new line to separate each new piped section of your search criteria. It provides the results of one operation as input to it.
-
Filtering and sorting data
where
: allows to filter rows by a specific condition.eval
: enables to create new fields using existing fields and an arbitrary expression.sort
: sorted the output is events in the sort ordered specify.
-
Aggregation functions
stats
: generates a report that display summary statistics.aggs
: allows you to create more complex data aggregations using various functions such asavg
,sum
,count
andothers
. It is usually used with the by operator to group data by specific fields and apply aggregation to each group.timechart
: generates a table of summary statistics. This table can then be formatted as a chart visualization, where your data is plotted against an x-axis that is always a time field.
For more information about SAFL
commands, see here
.
Filters
-
Filter by time
- Time filters limit query results by time. This is important for data analysis.
-
Filtering by field values
- Filtering conditions can be applied to specific fields to return only data that matches the query.
Example:
source wineventlog
| search status="error"
-
Using Boolean Operators to Search
- SAF supports boolean operators
AND
,OR
andNOT
to create complex search queries.
- SAF supports boolean operators
Example:
source wineventlog
| search status="error" AND host.ip != "172.19.0.101"
Search Tools: Effective Use
Formatted search
Built-in formatting engine makes working with SAFL easy. For more information, see formatted search
.
Comments
Comments help isolate, highlight, and explain parts of a query. For more information, see adding comments
.
Search history
Search history stores previously executed queries. For more information, see search history
.