Simple Search Syntax

Booleans
AND - A and B matches events that contain A and B

OR - A or B matches events that contain A or B

NOT - A and NOT (B or C) matches events that contain A but not B or C

Quotation Marks
Used to get exact match of a term, recommended when there is a key word (key word: ( ) = and or not in * ?) within a searched term.

Example: "connection(1234) failure" -> matches exactly connection(1234) failure

Parentheses
Parentheses are used to unify a term result or to create precedence within search queries.

a or (b in folder.my_folder) -> search for events that contain a, or events that contain b in sub folders and logs under the folder my_folder

a or b in folder.my_folder -> events that contain a or b in sub folders and logs under the folder my_folder

a and b or c -> precedence to the key word and, the term equal to (a and b) or c

a and (b or c) -> precedence to b or c and on the result adding and a

Wildcards
May be placed anywhere in a search term:

* - *foo, foo*, f*oo, *foo*, *f*o*o* (* stands for any character, 0 or more times)

? - ?oo, fo?, f? o (? stands for any character, exactly 1 time)

Search in specific log/folder/application/server
error in log.my_log -> search for error only in logs whose name is my_log
error in log.my* -> search for error only in logs whose name starts with my

error in folder.my_folder -> search for error only in logs under folders whose name is my_folder
error in folder.my* -> search for error only in logs under folders whose name starts with my

error in host.my_host -> search for error only in logs whose source name is my_host
error in host.my* -> search for error only in logs whose source name starts with my
host.my_host is equivalent to server.my_host

error in app.my_app -> search for error only in logs associated to applications whose name is my_app
error in app.my* -> search for error only in logs associated to applications whose name starts with my
app.my_app is equivalent to application.my_app

Comparison Search (in a specific log column)
column_name=search_value -> search for events that have a column with the name column_name and that its value equals search_value (relevant only to logs that have a column with that name)

column_name=search_value in log.my_log -> search for events in the log my_log that its column column_name value equals search_value (relevant only if the log has a column with that name)

column_name contains search_value -> search for events that have a column with the name column_name and that its value contains the search_value (relevant only to logs that have a column with that name)

column_name contains search_value in log.my_log -> search for events in the log my_log that its column column_name value contains the search_value (relevant only if the log has a column with that name)

Activate Saved Searches
search.search_name -> execute the saved search called search_name