Databases Reference
In-Depth Information
•
OR
allows you to specify multiple values.
error OR mary
means "ind any
event that contains either word".
•
NOT
applies to the next term or group.
error NOT mary
would find events
that contain
error
but do not contain
mary
.
•
""
identifies a phrase.
"Out of this world"
will find this exact sequence of
words.
Out of this world
would find any event that contains
all
of these
words, but not necessarily in that order.
•
( )
is used for grouping terms. Parentheses can help avoid confusion in logic.
For instance, these two statements are equivalent:
°
bob error OR warn NOT debug
°
(bob AND (error OR warn)) AND NOT debug
•
=
is reserved for specifying fields. Searching for an equal sign can be
accomplished by wrapping it in quotes.
•
[ ]
is used to perform a subsearch. We will discuss this in
Chapter 5
,
Advanced
Search Examples
.
You can use these operators in fairly complicated ways, if you want to be very
specific, or even to find multiple sets of events in a single query. The following are a
few examples:
•
error mary NOT jacky
•
error NOT (mary warn) NOT (jacky error)
•
index=myapplicationindex ( sourcetype=sourcetype1 AND ( (bob
NOT error) OR (mary AND warn) ) ) OR ( sourcetype=sourcetype2
(jacky info) )
This can also be written with some whitespace for clarity:
index=myapplicationindex
(
sourcetype=security
AND
(
(bob NOT error)
OR
(mary AND warn)
)
)
OR
(
sourcetype=application
(jacky info)
)
Search WWH ::
Custom Search