Skip to main content
Version: 4.0

General information on working with search

Search query basics

Search query structure

Search queries are created based on the query language Smart Monitor Language (SML), which has built-in functionality that helps create, analyze and manage the results obtained.

Queries in the Smart Monitor use keywords and operators to form a chain of operations to retrieve, filter, aggregate, and analyze data. The main elements of a query are keywords, operators and functions.

Using Keywords and Operators

  1. Keywords to start searching

    • search: : used to start searching for data in indexes
    • |: the pipe is placed on a new line to separate each new piped section of your search criteria. It provides the results of one operation as input to it

  2. Filtering and sorting data

    • where: allows to filter rows by a specific condition
    • eval: enables to create new fields using existing fields and an arbitrary expression
    • sort: sorted the output is events in the sort ordered specify

  3. Aggregation functions

    • stats: generates a report that display summary statistics
    • aggs: allows you to create more complex data aggregations using various functions such as avg, sum, count and others. It is usually used with the by operator to group data by specific fields and apply aggregation to each group
    • timechart: generates a table of summary statistics. This table can then be formatted as a chart visualization, where your data is plotted against an x-axis that is always a time field

For more information about SML commands, see Smart Monitor Language.

Filters

  1. Filter by time

    • time filters limit query results by time. This is important for data analysis

  2. Filtering by field values

    • filtering conditions can be applied to specific fields to return only data that matches the query

    Example:

 source wineventlog
 | search status="error"

  1. Using Boolean Operators to Search

    • Smart Monitor supports boolean operators AND, OR and NOT to create complex search queries

    Example:

 source wineventlog
 | search status="error" AND host.ip != "172.19.0.101"

Search Tools: Effective Use

Built-in formatting engine makes working with SML easy. For more information, see formatted search.

Comments

Comments help isolate, as well as highlight and explain individual parts of a query. For more details on the capabilities of using comments in Smart Monitor, please refer to the section adding comments.

Search history

Search history stores previously executed queries. For more information, see search history.