Skip to main content
Version: 5.0

search

Description

Performs a search on the data.

danger

Using search in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source and peval. This condition must also be met for all subqueries within the query.

Syntax

search <compare>

Required Arguments

ParameterSyntaxDescription
compare<field> > | >= | == | < | <= | != <field> | <value>A conditional operation for data comparison.

Search Modes

  • regex - search using a regular expression
  • wildcard - search using wildcard characters * and ?
  • cidr - search using a subnet mask
tip

If there is no operator between conditions, the default operator is AND.

A value (<value>) can be specified without double quotes if it does not contain separators or special characters.

Search in

SyntaxDescription
<field> in (<value>, <value>)The search in construct allows searching for events where the field <field> value equals one of the specified <value> elements.
tip

You can use * in <value> elements for wildcard search.

Query Examples

Example #1
...
| search user=Ivanov OR user="Mar*"
Example #2
...
| search count_result=5 AND nick="Iv*" mail="iv*"
Example #3
...
| search regex place="(Ho|Mo)tel"
Example #4
...
| search wildcard name="An*li?"
Example #5
...
| search cidr host="10.78.0.0/16"
Example #6
...
| search cidr host="2001::/4"
Example №7
...
| search user in (Smith, "Mar*")