Search Operator

Overview

Search through logs for text with search.

| search [not] <string constant> [and|or ...]*

See string datatypes for more information on formatting arguments.

Examples

Example data

let aws_alb = datatable [
  {"p_event_time": "2023-09-16 05:45:34.863", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"},
  {"p_event_time": "2023-09-16 05:59:04.058", "requestHttpMethod": "POST", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"},
  {"p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/2.0", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15"},
  {"p_event_time": "2023-09-16 05:36:09.017", "requestHttpMethod": "GET", "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61"}
];

Search for a string

The below query finds logs that contain the string GET:

aws_alb
| search 'GET'

p_event_time	requestHttpMethod	requestHttpVersion	sslCipher	userAgent
2023-09-16 05:45:34.863	GET	HTTP/1.1	TLS_AES_128_GCM_SHA256	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2023-09-16 05:36:09.017	GET	HTTP/2.0	ECDHE-RSA-AES128-GCM-SHA256	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15
2023-09-16 05:36:09.017	GET	HTTP/1.1	TLS_AES_128_GCM_SHA256	Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61

p_event_time

requestHttpMethod

requestHttpVersion

sslCipher

userAgent

2023-09-16 05:45:34.863

GET

HTTP/1.1

TLS_AES_128_GCM_SHA256

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

2023-09-16 05:36:09.017

GET

HTTP/2.0

ECDHE-RSA-AES128-GCM-SHA256

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15

2023-09-16 05:36:09.017

GET

HTTP/1.1

TLS_AES_128_GCM_SHA256

Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61

Search for complex patterns

The below query uses and, or and not to search for a complex pattern:

aws_alb
| search ('GET' or 'POST') and not 'HTTP/1.1' and 'ECDHE'

p_event_time	requestHttpMethod	requestHttpVersion	sslCipher	userAgent
2023-09-16 05:36:09.017	GET	HTTP/2.0	ECDHE-RSA-AES128-GCM-SHA256	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15

p_event_time

requestHttpMethod

requestHttpVersion

sslCipher

userAgent

2023-09-16 05:36:09.017

GET

HTTP/2.0

ECDHE-RSA-AES128-GCM-SHA256

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15

Search using wildcard matching

You can use an asterisk * for wildcard matching:

aws_alb
| search 'mozilla*chrome'

p_event_time	requestHttpMethod	requestHttpVersion	sslCipher	userAgent
2023-09-16 05:45:34.863	GET	HTTP/1.1	TLS_AES_128_GCM_SHA256	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2023-09-16 05:59:04.058	POST	HTTP/1.1	TLS_AES_128_GCM_SHA256	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

p_event_time

requestHttpMethod

requestHttpVersion

sslCipher

userAgent

2023-09-16 05:45:34.863

GET

HTTP/1.1

TLS_AES_128_GCM_SHA256

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

2023-09-16 05:59:04.058

POST

HTTP/1.1

TLS_AES_128_GCM_SHA256

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

PreviousSort Operator NextSummarize Operator

Last updated 3 months ago