Basic search commands
The main search commands in SM Language are source and search.
Command source
The source command is intended to obtain data from sources SM Data Storage (OpenSearch, ClickHouse, Apache Hadoop). By default, the OpenSearch repository is used, for which you must specify the name of the pattern index when searching. To search in OpenSearch, you must specify the name and index of the template. Searching Hadoop storage requires the prefix: hdh:. Searching Hadoop storage requires the prefix clk:.
source hdh:win_events
source clk:nix_events
source cisco_asa
Smart Monitor allows you to get data from multiple storages simultaneously:
source cisco_asa, clk:nix_events
To limit the number of events in the search, the qsize argument is used.
source zabbix qsize = 150
source clk:nix_events:1000
source hdh:nix_events, ldap_computers qsize=1000
Search command
Searches the data. Used after the source command. Filters data using SM Data Storage algorithms.
source hdh:win_events
| search user="Smith" OR user="Mar*"
The search command has three search modes:
regex- a regular expression is a form of advanced searching that looks for specific patterns, as opposed to certain terms and phraseswildcard- it’s a special characters (the symbols*and?)cidr- search by subnet mask
The default is wildcard. Examples of searches are given below:
... | search regex place="(Ho|Mo)tel"
... | search wildcard name="An*li?"
... | search cidr host="10.78.0.0/16"
Recommendations for creating a search query
Use Keywords, Phrases, Fields, Boolean Expressions, Wildcards and Comparison Expressions. The search query gets events by matching the event fields in your data. When searching for a file path, you must escape backslashes in the path, for example D:\\SmartMonitor\\RTFM
It is recommended to look at the sections: