Version: 5.1

search

Description

Performs a search on the data.

danger

Using search in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source and peval. This condition must also be met for all subqueries within the query.

Syntax

search <compare>

Required Arguments

Parameter	Syntax	Description
`compare`	`<field> > \| >= \| == \| < \| <= \| != <field> \| <value>`	A conditional operation for data comparison.

Search Modes

regex - search using a regular expression
wildcard - search using wildcard characters * and ?
cidr - search using a subnet mask
text - text field search (used when enabled Configuring Keyword Autocompletion)

tip

If there is no operator between conditions, the default operator is AND.

A value (<value>) can be specified without double quotes if it does not contain separators or special characters.

Search in

Syntax	Description
`<field> in (<value>, <value>)`	The search in construct allows searching for events where the field `<field>` value equals one of the specified `<value>` elements.

tip

You can use * in <value> elements for wildcard search.

Query Examples

Example #1
...
| search user=Ivanov OR user="Mar*"

Example #2
...
| search count_result=5 AND nick="Iv*" mail="iv*"

Example #3
...
| search regex place="(Ho|Mo)tel"

Example #4
...
| search wildcard name="An*li?"

Example #5
...
| search cidr host="10.78.0.0/16"

Example #6
...
| search cidr host="2001::/4"

Example №7
...
| search user in (Smith, "Mar*")

Description​

Syntax​

Required Arguments​

Search Modes​

Search in​

Query Examples​