search
Description
Performs a search on the data.
danger
Using search in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source and peval. This condition must also be met for all subqueries within the query.
Syntax
search <compare>
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
compare | <field> > | >= | == | < | <= | != <field> | <value> | A conditional operation for data comparison. |
Search Modes
regex- search using a regular expressionwildcard- search using wildcard characters*and?cidr- search using a subnet mask
tip
If there is no operator between conditions, the default operator is AND.
A value (<value>) can be specified without double quotes if it does not contain separators or special characters.
Search in
| Syntax | Description |
|---|---|
<field> in (<value>, <value>) | The search in construct allows searching for events where the field <field> value equals one of the specified <value> elements. |
tip
You can use * in <value> elements for wildcard search.
Query Examples
Example #1
...
| search user=Ivanov OR user="Mar*"
Example #2
...
| search count_result=5 AND nick="Iv*" mail="iv*"
Example #3
...
| search regex place="(Ho|Mo)tel"
Example #4
...
| search wildcard name="An*li?"
Example #5
...
| search cidr host="10.78.0.0/16"
Example #6
...
| search cidr host="2001::/4"
Example №7
...
| search user in (Smith, "Mar*")