When you are building the search criteria, click the field and value in the search result to add it to the search.
Wildcard character
- * (asterisk) one or multiple characters
Exact phrases
- Use ” (double quotes)
Search for quotes
- \” (use backslash to escape quotes if you want to search for quotes)
Keywords in the search bar are case sensitive!
Boolean keywords are
- AND (if omitted, it is implied)
- OR
- NOT
Order of boolean evaluation
- Inside parentheses ()
- NOT
- OR
- AND
Operators
- =
- !=
- >
- >=
- <
- <=
Examples
- soourcetype=access_combined
Best search practices
Search in a time range
- s Seconds
- m Minutes
- h Hours
- d Days
- w Weeks
- mon Month
- y Year
- @ Round down to the nearest unit
Examples
- -30s In the last 30 seconds
- -30m@h Round to the last hour. If the event was run at 5:42, events from 5:00 are returned
- earliest=-2 latest=-1h From two hours ago to one hour ago
- earliest=05/12/2017:12:00:00 From an absolute date and time
Indexes
If the data is organized by multiple indexers, specify the index where the data is stored
Examples
- index=main