search
Description
Performs a search on the data.
Using search in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source and peval. This condition must also be met for all subqueries within the query.
Syntax
search <mode> <compare>
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
compare | <field> > | >= | == | < | <= | != <field> | <value> | A conditional operation for data comparison. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
mode | (|regex|wildcard|cidr) | Search mode: regex - search by regular expression; wildcard - search using wildcard characters * and ?; cidr - search by subnet mask. |
Search Modes
regex- search using a regular expressionwildcard- search using wildcard characters*and?cidr- search using a subnet masktext- text field search (used when enabled Configuring Keyword Autocompletion)
If there is no operator between conditions, the default operator is AND.
A value (<value>) can be specified without double quotes if it does not contain separators or special characters.
By default, regex (regular expression) search is case-insensitive. To enable case sensitivity in a regex search, use the sens parameter in the search query.
Field Comparison
Search queries can use comparisons between two fields for filtering. The fields can be taken either from the source document or specified by the user via the peval command.
The right operand in the required compare parameter can be either a field or a string, but only if the string is not enclosed in double quotes.
If the field exists in the document, the right operand is treated as a field. Otherwise, the operand is treated as a string.
List of supported operations:
comparison operators(=, !=, >, <, etc.)wildcardcidrregex
Using field comparison in search queries has limitations. For example, for searching documents in ClickHouse you cannot use queries where the left operand is specified by the user via the peval command, and for searching documents in OpenSearch storage in regex mode the right operand is always interpreted as a string, not as a field from the context.
Search in
| Syntax | Description |
|---|---|
<field> in (<value>, <value>) | The search in construct allows searching for events where the field <field> value equals one of the specified <value> elements. |
You can use * in <value> elements for wildcard search.
Query Examples
Example 1
In this example, a search will be performed for documents where the user field contains the value Smith or a value starting with Mar.
...
| search user=Smith OR user="Mar*"
Sample input documents:
| user |
|---|
| Smith |
| Maria |
| Taylor |
| John |
| mary |
The query execution result may be the following table:
| user |
|---|
| Smith |
| Maria |
| mary |
Example 2
In this example, a search will be performed for documents where the value of the count_result field equals 5, the value of the nick field starts with Sm, and the value of the mail field starts with sm*.
...
| search count_result=5 AND nick="Sm*" mail="sm*"
Sample input documents:
| nick | count_result | |
|---|---|---|
| Smith | smith@example.com | 5 |
| Smh | smh123@example.com | 4 |
| smit | 123smit@example.com | 5 |
The query execution result may be the following table:
| nick | count_result | |
|---|---|---|
| Smith | smith@example.com | 5 |
Example 3
In this example, a search will be performed for documents where the score field is greater than or equal to 5, and the status field is not equal to active.
...
| search score>=5 AND NOT status="active"
Sample input documents:
| user | status | score |
|---|---|---|
| Smith | active | 5 |
| Maria | inactive | 4 |
| John | inactive | 11 |
The query execution result may be the following table:
| nick | count_result | |
|---|---|---|
| John | inactive | 11 |
Example 4
In this example, a search will be performed for documents where the place field matches Hotel or Motel using the regex regular expression.
...
| search regex place.keyword="(Ho|Mo)tel"
Sample input documents:
| place |
|---|
| Hotel |
| motel |
The query execution result may be the following table:
| place |
|---|
| Hotel |
Example 5
In this example, a search will be performed for documents where the name field starts with An, followed by li and exactly one any character.
...
| search wildcard name="An*li?"
Sample input documents:
| user |
|---|
| Anna |
| Anatoly |
| Anzli |
| Annalisa |
| Anli |
The query execution result may be the following table:
| user |
|---|
| Anzli |
| Annalisa |
| Anli |
Example 6
In this example, a search will be performed for documents where the IPv4 address in the host field belongs to the 10.78.0.0/16 subnet.
...
| search cidr host="10.78.0.0/16"
Sample input documents:
| host |
|---|
| 10.78.1.23 |
| 192.168.1.1 |
| 2001:0db8::1 |
The query execution result may be the following table:
| host |
|---|
| 10.78.1.23 |
Example 7
In this example, a search will be performed for documents where the IPv6 address in the host field belongs to the 2001::/4 subnet.
...
| search cidr host="2001::/4"
Sample input documents:
| host |
|---|
| 2001:0db8::1 |
| fe80::1 |
| 3000::1 |
| 2002:aabb::1234 |
The query execution result may be the following table:
| host |
|---|
| 2001:0db8::1 |
| 2002:aabb::1234 |
Example 8
In this example, a search will be performed for documents where the value of the user field equals Smith or starts with Mar.
...
| search user in (Smith, "Mar*")
Sample input documents:
| | user | | -| | Smith | | Maria | | Taylor | | Jeck | | John | | mary |
The query execution result may be the following table:
| user |
|---|
| Smith |
| Maria |
| mary |
Example 9
This example demonstrates a search using field comparison.
...
| search name = nickname
Sample input documents:
| name | nikname | surname |
|---|---|---|
| Paul | ul | Smith |
| Mary | Ma | Johnson |
| Smart | Smena | Brown |
| Sara | Sa | Davis |
| max | Max | Wilson |
| paul | paul | Taylor |
| Alex | Alex | Anderson |
The query execution may result in the following table:
| name | nickname | surname |
|---|---|---|
| max | Max | Wilson |
| paul | paul | Taylor |
| Alex | Alex | Anderson |
Example 10
This example demonstrates a search using field comparison. The right operand is specified using the peval command.
...
| peval nickname="*ul"
| search name = nickname
Sample input documents:
| name | surname |
|---|---|
| Paul | Smith |
| Mary | Johnson |
| Smart | Brown |
| Sara | Davis |
| max | Wilson |
| paul | Taylor |
| Alex | Anderson |
The query execution may result in the following table:
| name | surname |
|---|---|
| Paul | Smith |
| paul | Taylor |