search
Description
Performs a search on the data.
danger
Using search
in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source
and peval
. This condition must also be met for all subqueries within the query.
Syntax
search <compare>
Required Arguments
Parameter | Syntax | Description |
---|---|---|
compare | <field> > | >= | == | < | <= | != <field> | <value> | A conditional operation for data comparison. |
Search Modes
regex
- search using a regular expressionwildcard
- search using wildcard characters*
and?
cidr
- search using a subnet mask
tip
If there is no operator between conditions, the default operator is AND
.
A value (<value>
) can be specified without double quotes if it does not contain separators or special characters.
Search in
Syntax | Description |
---|---|
<field> in (<value>, <value>) | The search in construct allows searching for events where the field <field> value equals one of the specified <value> elements. |
tip
You can use *
in <value>
elements for wildcard
search.
Query Examples
Example #1
...
| search user=Ivanov OR user="Mar*"
Example #2
...
| search count_result=5 AND nick="Iv*" mail="iv*"
Example #3
...
| search regex place="(Ho|Mo)tel"
Example #4
...
| search wildcard name="An*li?"
Example #5
...
| search cidr host="10.78.0.0/16"
Example #6
...
| search cidr host="2001::/4"
Example №7
...
| search user in (Smith, "Mar*")