search
Description
Performs a search on the data.
Using search in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source and peval. This condition must also be met for all subqueries within the query.
Syntax
search <mode> <compare>
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
compare | <field> > | >= | == | < | <= | != <field> | <value> | A conditional operation for data comparison. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
mode | (|regex|wildcard|cidr) | Search mode: regex - search by regular expression; wildcard - search using wildcard characters * and ?; cidr - search by subnet mask. |
Search Modes
regex- search using a regular expressionwildcard- search using wildcard characters*and?cidr- search using a subnet masktext- text field search (used when enabled Configuring Keyword Autocompletion)
If there is no operator between conditions, the default operator is AND.
A value (<value>) can be specified without double quotes if it does not contain separators or special characters.
Search in
| Syntax | Description |
|---|---|
<field> in (<value>, <value>) | The search in construct allows searching for events where the field <field> value equals one of the specified <value> elements. |
You can use * in <value> elements for wildcard search.
Query Examples
Example 1
In this example, a search will be performed for documents where the user field contains the value Smith or a value starting with Mar.
...
| search user=Smith OR user="Mar*"
Sample input documents:
| user |
|---|
| Smith |
| Maria |
| Taylor |
| John |
| mary |
The query execution result may be the following table:
| user |
|---|
| Smith |
| Maria |
| mary |
Example 2
In this example, a search will be performed for documents where the value of the count_result field equals 5, the value of the nick field starts with Sm, and the value of the mail field starts with sm*.
...
| search count_result=5 AND nick="Sm*" mail="sm*"
Sample input documents:
| nick | count_result | |
|---|---|---|
| Smith | smith@example.com | 5 |
| Smh | smh123@example.com | 4 |
| smit | 123smit@example.com | 5 |
The query execution result may be the following table:
| nick | count_result | |
|---|---|---|
| Smith | smith@example.com | 5 |
Example 3
In this example, a search will be performed for documents where the score field is greater than or equal to 5, and the status field is not equal to active.
...
| search score>=5 AND NOT status="active"
Sample input documents:
| user | status | score |
|---|---|---|
| Smith | active | 5 |
| Maria | inactive | 4 |
| John | inactive | 11 |
The query execution result may be the following table:
| nick | count_result | |
|---|---|---|
| John | inactive | 11 |
Example 4
In this example, a search will be performed for documents where the place field matches Hotel or Motel using the regex regular expression.
...
| search regex place.keyword="(Ho|Mo)tel"
Sample input documents:
| place |
|---|
| Hotel |
| motel |
The query execution result may be the following table:
| place |
|---|
| Hotel |
Example 5
In this example, a search will be performed for documents where the name field starts with An, followed by li and exactly one any character.
...
| search wildcard name="An*li?"
Sample input documents:
| user |
|---|
| Anna |
| Anatoly |
| Anzli |
| Annalisa |
| Anli |
The query execution result may be the following table:
| user |
|---|
| Anzli |
| Annalisa |
| Anli |
Example 6
In this example, a search will be performed for documents where the IPv4 address in the host field belongs to the 10.78.0.0/16 subnet.
...
| search cidr host="10.78.0.0/16"
Sample input documents:
| host |
|---|
| 10.78.1.23 |
| 192.168.1.1 |
| 2001:0db8::1 |
The query execution result may be the following table:
| host |
|---|
| 10.78.1.23 |
Example 7
In this example, a search will be performed for documents where the IPv6 address in the host field belongs to the 2001::/4 subnet.
...
| search cidr host="2001::/4"
Sample input documents:
| host |
|---|
| 2001:0db8::1 |
| fe80::1 |
| 3000::1 |
| 2002:aabb::1234 |
The query execution result may be the following table:
| host |
|---|
| 2001:0db8::1 |
| 2002:aabb::1234 |
Example 8
In this example, a search will be performed for documents where the value of the user field equals Smith or starts with Mar.
...
| search user in (Smith, "Mar*")
Sample input documents:
| | user | | -| | Smith | | Maria | | Taylor | | Jeck | | John | | mary |
The query execution result may be the following table:
| user |
|---|
| Smith |
| Maria |
| mary |