search
Description
Performs a search on the data.
Using search in a query is allowed only if it is preceded by commands that also operate with the internal storage mechanisms. These include source and peval. This condition must also be met for all subqueries within the query.
Syntax
search <mode> <compare>
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
compare | <field> > | >= | == | < | <= | != <field> | <value> | A conditional operation for data comparison. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
mode | (|regex|wildcard|cidr) | Search mode: regex - search by regular expression; wildcard - search using wildcard characters * and ?; cidr - search by subnet mask. |
Search Modes
regex- search using a regular expressionwildcard- search using wildcard characters*and?cidr- search using a subnet masktext- text field search (used when enabled Configuring Keyword Autocompletion)
If there is no operator between conditions, the default operator is AND.
A value (<value>) can be specified without double quotes if it does not contain separators or special characters.
By default, regular expression regex search is case-insensitive. To make the regex search case-sensitive, you must use the sens parameter in the search query.
Field Comparison
In search queries, you can compare two fields for filtering. Fields can come either from the source document or be defined by the user with the peval command.
In the required compare parameter, the right operand can be either a field or a string, but only if the string is not enclosed in double quotes. If a field with that name exists in the document, it is treated as a field; otherwise, it is treated as a string.
Supported operations:
- comparison operators (
=, !=, >, <, etc.) wildcardcidrregex
Field comparison in search queries has limitations. For example, for ClickHouse document search, queries where the left operand is user-defined with peval are not supported. For OpenSearch search in regex mode, the right operand is always interpreted as a string, not as a context field.
Search in
| Syntax | Description |
|---|---|
<field> in (<value>, <value>) | The search in construct allows searching for events where the field <field> value equals one of the specified <value> elements. |
You can use * in <value> elements for wildcard search.
Query Examples
Example 1
In this example, a search will be performed for documents where the user field contains the value Ivanov or a value starting with Mar.
...
| search user=Ivanov OR user="Mar*"
Sample input documents:
| user |
|---|
| Ivanov |
| Maria |
| Petrov |
| John |
| mary |
The query execution result may be the following table:
| user |
|---|
| Ivanov |
| Maria |
| mary |
Example 2
In this example, a search will be performed for documents where the value of the count_result field equals 5, the value of the nick field starts with Iv, and the value of the mail field starts with iv*.
...
| search count_result=5 AND nick="Iv*" mail="iv*"
Sample input documents:
| nick | count_result | |
|---|---|---|
| Ivanov | ivanov@example.com | 5 |
| Ivy | ivy123@example.com | 4 |
| ivan | 123ivan@example.com | 5 |
The query execution result may be the following table:
| nick | count_result | |
|---|---|---|
| Ivanov | ivanov@example.com | 5 |
Example 3
In this example, a search will be performed for documents where the score field is greater than or equal to 5, and the status field is not equal to active.
...
| search score>=5 AND NOT status="active"
Sample input documents:
| user | status | score |
|---|---|---|
| Ivanov | active | 5 |
| Maria | inactive | 4 |
| Anna | inactive | 11 |
The query execution result may be the following table:
| nick | count_result | |
|---|---|---|
| Anna | inactive | 11 |
Example 4
In this example, a search will be performed for documents where the place field matches Hotel or Motel using the regex regular expression.
...
| search regex place.keyword="(Ho|Mo)tel"
Sample input documents:
| place |
|---|
| Hotel |
| motel |
The query execution result may be the following table:
| place |
|---|
| Hotel |
Example 5
In this example, a search will be performed for documents where the name field starts with An, followed by li and exactly one any character.
...
| search wildcard name="An*li?"
Sample input documents:
| user |
|---|
| Anna |
| Anatoly |
| Anzli |
| Annalisa |
| Anli |
The query execution result may be the following table:
| user |
|---|
| Anzli |
| Annalisa |
| Anli |
Example 6
In this example, a search will be performed for documents where the IPv4 address in the host field belongs to the 10.78.0.0/16 subnet.
...
| search cidr host="10.78.0.0/16"
Sample input documents:
| host |
|---|
| 10.78.1.23 |
| 192.168.1.1 |
| 2001:0db8::1 |
The query execution result may be the following table:
| host |
|---|
| 10.78.1.23 |
Example 7
In this example, a search will be performed for documents where the IPv6 address in the host field belongs to the 2001::/4 subnet.
...
| search cidr host="2001::/4"
Sample input documents:
| host |
|---|
| 2001:0db8::1 |
| fe80::1 |
| 3000::1 |
| 2002:aabb::1234 |
The query execution result may be the following table:
| host |
|---|
| 2001:0db8::1 |
| 2002:aabb::1234 |
Example 8
In this example, a search will be performed for documents where the value of the user field equals Ivanov or starts with Mar.
...
| search user in (Ivanov, "Mar*")
Sample input documents:
| | user | | -| | Ivanov | | Maria | | Petrov | | Ivanova | | John | | mary |
The query execution result may be the following table:
| user |
|---|
| Ivanov |
| Maria |
| mary |
Example 9
This example demonstrates search using field comparison.
...
| search name = nickname
Sample input documents:
| name | nickname | surname |
|---|---|---|
| Paul | ul | Smith |
| Mary | Ma | Johnson |
| Smart | Smena | Brown |
| Sara | Sa | Davis |
| max | Max | Wilson |
| paul | paul | Taylor |
| Alex | Alex | Anderson |
The query execution result may be the following table:
| name | nickname | surname |
|---|---|---|
| max | Max | Wilson |
| paul | paul | Taylor |
| Alex | Alex | Anderson |
Example 10
This example demonstrates field comparison where the right operand is defined by peval.
...
| peval nickname="*ul"
| search name = nickname
Sample input documents:
| name | surname |
|---|---|
| Paul | Smith |
| Mary | Johnson |
| Smart | Brown |
| Sara | Davis |
| max | Wilson |
| paul | Taylor |
| Alex | Anderson |
The query execution result may be the following table:
| name | surname |
|---|---|
| Paul | Smith |
| paul | Taylor |