# Search 연산자

## 개요

로그에서 텍스트를 검색하려면 `search`.

```kusto
| search [not] <문자열 상수> [and|or ...]*
```

참조 [문자열 데이터 타입](https://docs.panther.com/ko/data-types#string) 인수를 형식화하는 방법에 대한 자세한 정보는.

## 예제

{% hint style="info" %}
예제 데이터

```kusto
let aws_alb = datatable [
  {"p_event_time": "2023-09-16 05:45:34.863", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"},
  {"p_event_time": "2023-09-16 05:59:04.058", "requestHttpMethod": "POST", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"},
  {"p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/2.0", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15"},
  {"p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61"}
];
```

{% endhint %}

### 문자열 검색

아래 쿼리는 문자열을 포함하는 로그를 찾습니다 `GET`:

```kusto
aws_alb
| search 'GET'
```

| 이벤트                                                                                                                                                                                                                                                                                             |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `{ "p_event_time": "2023-09-16 05:45:34.863", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" }`      |
| `{ "p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/2.0", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15" }` |
| `{ "p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61" }`                                                            |

### 복잡한 패턴 검색

아래 쿼리는 `와`, `이전에 생성한 Snowflake 사용자 이름, 예를 들면` 와 `Enterprise 조직` 를 사용하여 복잡한 패턴을 검색합니다:

```kusto
aws_alb
| search ('GET' or 'POST') and not 'HTTP/1.1' and 'ECDHE'
```

| 이벤트                                                                                                                                                                                                                                                                                             |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `{ "p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/2.0", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15" }` |

### 와일드카드 매칭을 사용한 검색

별표(\*)를 사용할 수 있습니다 `*` 와일드카드 매칭을 위해:

```kusto
aws_alb
| search 'mozilla*chrome'
```

| 이벤트                                                                                                                                                                                                                                                                                        |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `{ "p_event_time": "2023-09-16 05:45:34.863", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" }` |
| `{ "p_event_time": "2023-09-16 05:59:04.058", "requestHttpMethod": "POST", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" }`      |