Basic search commands
The main search commands in SAF Language are source and searchОсновой.
Команда source
The source command is intended to obtain data from sources SAF Data Storage (OpenSearch, ClickHouse, Apache Hadoop). By default, the OpenSearch repository is used, for which you must specify the name of the pattern index when searching. To search in OpenSearch, you must specify the name and index of the template. Searching Hadoop storage requires the prefix: hdh:. Searching Hadoop storage requires the prefix clk:.
source hdh:win_events
source clk:nix_events
source cisco_asa
SAF allows you to get data from multiple storages simultaneously:
source cisco_asa, clk:nix_events
To limit the number of events in the search, the qsize argument is used.
Examples:
source zabbix qsize = 150
source clk:nix_events:1000
source hdh:nix_events, ldap_computers qsize=1000
Search command
Searches the data. Used after the source command. Filters data using SAF Data Storage algorithms.
source hdh:win_events
| search user="Ivanov" OR user="Mar*"
The search command has three search modes:
regex- A regular expression is a form of advanced searching that looks for specific patterns, as opposed to certain terms and phrases.wildcard- It’s a special characters((the symbols * and ?) that can stand in for unknown characters in a text value and are handy for locating multiple items with similar, but not identical. Used by default.cidr- search by subnet mask.
Examples:
... | search regex place="(Ho|Mo)tel"
... | search wildcard name="An*li?"
... | search cidr host="10.78.0.0/16"
Recommendations for creating a search query
Use Keywords, Phrases, Fields, Boolean Expressions, Wildcards and Comparison Expressions. The search query gets events by matching the event fields in your data. When searching for a file path, you must escape backslashes in the path, for example D:\\SmartMonitor\\RTFM
It is recommended to look at the sections: