You can search for text patterns within the current set of events in both the Navigate view and the Events view. You can perform a keyword text search or do regex (Regular Expression) matching. In the Navigate view, you can click a meta value, such as HTTP, to drill into the data and then enter a search string in the Search field to search for events within that subset of data. The search opens a tab in the Events view, brings your drill and time range forward, and shows your search results. You can also drill into the data using queries before starting a search. To execute the search, enter a search string in the Search box, and press Enter or click Search.
Keyword Text Search
The text search provides these capabilities:
- Each white space delimited word is ANDed, so that every word must be found, but the order or location position in relation to the other words is irrelevant. For example, if you search on
Mark Albert, both Mark and Albert must be found in the session, but they need not be together or in any specific order.
- The word OR is special. If you search
Mark OR Albert, either Mark or Albert must be found in the session to match; both are not required.
- You can mix or match implicit ANDs and ORs together in the search string. The explicit OR has higher precedence than the implicit (whitespace) AND. The following examples make the same logical statement, which requires that both the terms cheese and dumplings be present in a match and one of toaster bread:
cheese toast OR bread dumplings
cheese AND (toast OR bread) AND dumplings
- You can exclude words from search results using the
-operator. For example, searching for
cheese -toastwould return any result that has the word cheese, unless the word toast is also present.
- The keyword search can match metadata stored in the following patterns:
- IPv4 and IPv6 addresses. Any term that can be recognized as an IP address will be converted to the native metadata format so that it can be found in indexed metadata.
- IPv4 CIDR ranges. You can use CIDR notation to locate IPv4 addresses within a range.
- Timestamps. Timestamps are matched against the native time meta, and any additional time meta fields stored with the Time type.
- Numbers. The search function will attempt to automatically identify decimal search terms and match them against numeric meta data fields.
Options Controlling Search Behavior
To access the Search box and search options in the Navigate or Events views:
- You can see the Search Events field in the toolbar.
Troubleshooting: If you cannot see the Search Events field in the toolbar, click on the right side of the toolbar.
- Click in the Search field to view the Search Options drop-down menu. In Version 11.2 and above, the menu options are slightly different. The first figure illustrates the menu for 11.1 and below; the second figure illustrates the menu for Version 11.2 and above.
The options selected in this box change how the search is executed. The default search mode is to search indexes for indexed metadata and raw data only.
The following table describes the Investigation search options.
Regular Expression Search Syntax
A regular expression search uses Perl regular expression syntax, which is documented in detail in http://perldoc.perl.org/perlre.html.
Raw Text Keyword Search
The Log Decoder has the capability to create a raw text index for unparsed log events. This functionality creates metadata items that form a full-text index on downstream services such as Concentrators and Archivers. When you enable the Search Indexes option in your search preferences, your search automatically utilizes the text index. Note that the text index produces meta items that have a coarse granularity. For example, the default text indexer configuration truncates text terms. By comparing the index matches against raw data, the search engine will find accurate results for your search. However, you can improve search times by disabling the raw search checkbox. If you do so, results will be returned faster, but you may see false positive hits in your search results.
The following examples show searches from the Navigate and Events views.
Search in the Navigate View
To search within the currently displayed data in the Navigate view:
- To drill into the data, click a meta value, such as HTTP, in the Values panel.
- Type a search string in the Search field and press Enter or click Search.
- To clear the search box and return to the normal Events view, click the X in the search box.
Search in the Events View
To search within the currently displayed data in the Events view:
- Type a search string in the Search box, and press Enter or click Search.
The search results are displayed in the Events view. Events that match the search criteria are displayed in the events list. In the Details view and List view, matches are highlighted in the Details column. In addition, when searching RAW, matches are highlighted in the Log view Logs column.
- If you want to narrow the search, change the query and time.
- If you want to stop the search and return to the Events view, click Cancel.
Any results that are displayed remain.
- To clear the search box and return to the normal Events view, click X in the search box.