Filtering your search results

The Search tab provides you various ways that you can use to filter your data and narrow down your search results. By refining your search criteria, you can find exactly what you are looking for.

Use the following methods to filter your search results:

Searching with a time context

Search results will be much more relevant if you try to focus on the time range during which the error occurred. For example, searching a specific 15-minute time range can yield more meaningful results than searching the last 24 hours. Therefore, it is recommended that you narrow down your search results by providing a more specific time range.

Searching with a time context can also help you correlate information about events and thus aid your root-cause analysis. For example, you can search for data containing specified search strings that were indexed in the last 15 minutes, 1 hour, 1 day, or 7 days from your current time. You can also search for data by providing a custom time range. 

To search for key words in a particular time range

  1. Click the Search tab.
  2. Enter an appropriate search string in the search bar.
  3. On the time-range list, select one of the following time ranges to apply to your search and click Search :
    • Last 5 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 5 minutes of your current time. 
    • Last 15 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 15 minutes of your current time. 
    • Last 60 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 60 minutes of your current time.
    • Last 6 hours: Select this item to search for data (containing the specified search string) that occurred in the last 6 hours of your current time.
    • Last 24 hours: Select this item to search for data (containing the specified search string) that occurred in the last 24 hours of your current time.
    • Last 2 days: Select this item to search for data (containing the specified search string) that occurred in the last 2 days of your current time.
    • Last 7 days: Select this item to search for data (containing the specified search string) that occurred in the last 7 days of your current time.
    • Custom Time: Select this item if you want to specify a custom time range and search for data (containing the specified search string) that occurred for that particular time frame.
      On selecting this item, on the Select Time dialog box, specify the following information:
      1. From: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the starting point from where you want to see the data. Click Done.
      2. To: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the ending point until when you want to see the data. Click Done.
      3. Click OK.

      The timeline chart appears, showing a summary of your search results, followed by a list of data entries that you can investigate or analyze.

      Note

      If you set a custom time for a duration that exceeds the value set in the Read from Past (#days) field when creating data collectors, you might not see any search results.

      Alternatively, you can adjust the handles on the slider under the timeline chart to select a time range and click Search. This helps you easily select a custom time range and see the corresponding search results. For more information, see Using the timeline and summarization charts.

  4. (Optional) Browse through the data entries that appear before and after the time range that you specified, by clicking Shift time context to previous  and Shift time context to next  on the top-left of the timeline chart.
    The time gap used to browse through the data entries depends on the time range you selected in step 3.
  5. (Optional) Right-click on a particular record in the search results, and search for results from the last 5 seconds, 30 seconds, 1 minute, and 5 minutes.
  6. (Optional) Click one of the bars on the timeline chart to drill down into your search results. For more information, see Using the timeline and summarization charts.

Searching with fields and tags

Fields are searchable name=value pairs in the event data that you indexed. When performing a search, you normally search against raw entries of your event data. To make your search more accurate, you can search by using fields. Fields are extracted from the data files at the time of indexing. By default, the HOST and COLLECTOR_NAME fields are displayed on the Filters panel, under the Fields section, on the left. You can also add additional fields under the Fields section and then add those fields to your search criteria. The Filters panel can be collapsed or expanded by clicking Collapse  or Expand . If you are unable to view the field names properly, you can manually drag the Filters panel to get a better view.

Tags are field values that can be categorized in a certain way; for example, by location, department, operating system, and so on. Tags can be assigned to your event data when you creating a data collector. These tags are displayed under Tags, in the Filters panel on the left, which you can collapse or expand by clicking Collapse  or Expand . You can narrow your search results by adding tags to your search criteria.

You can add fields and tags to your search criteria in various ways to narrow down your results. You can select fields and tags from the Filters panel. You can also click the fields and tags available in the search results area to add it to the search criteria. Additionally, on the Search landing page, when you can click Search Tools, you can select the following default fields or the tags present in the system along with their corresponding value. When you select fields and tags, they are added it to the search criteria.

  • COLLECTOR_NAME
  • DATA_PATTERN

When you add fields or tags to your search criteria, and run the search, your original search query does not change. Instead, the fields and tags are displayed at the bottom of the search bar, where you can choose to include or exclude them, or clear them altogether. To see the actual search query, that is run when you execute a search, click Show Query.

Note

By default, field names and tag names are case sensitive. While searching, you cannot control case sensitivity for field names and tag names. However, you can control case sensitivity for field values and tag values. For more information, see Search string syntax.

 

The following instructions describe the actions supported with performing a search with fields and tags:

To perform a search by using fields and tags

  1. Click the Search tab.
  2. Enter an appropriate search string in the search bar and click Search.
  3. Perform one of the following actions:
    • You can search by using fields in one of the following ways:
      • On the Filters panel, under the Fields section, click Add to search criteria  next to the field values that you want to add to the search criteria (displayed under the search bar).
      • On the Text View  click a field name=value pair from the search results area to add it to your search criteria (displayed under the search bar).
      • On the Table View point to one of the field values and then click Add to search criteria next to the field value to add it to your search criteria (displayed under the search bar).
      • On the Chart View click one of field names displayed in the Value column in the table. You can also click on a clickable area in the summarization chart displayed. This action adds the field to the search criteria and also runs the search.
      • Click Search Tools next to the time range list, select one of the default fields available in the list under the search bar, select the corresponding value in the adjacent list, and then click Add Filter to add the selection to your search criteria. Use this process to add multiple fields to the search criteria.
    • You can search by using tags in one of the following ways:

      • On the Filters panel, under the Tags section, click Add to search criteria next to the tag values that you want to add to the search criteria (displayed under the search bar).

      • On the Text View  click a tag name=value pair from the search results area to add it to your search criteria (displayed under the search bar).
      • On the Table View, point to one of the tag values and then click Add to search criteria next to the tag value to add it to your search criteria (displayed under the search bar).
      • On the Chart View, click one of tag names displayed in the Value column in the table. This action adds the tag to the search criteria and also runs the search.
      • Click Search Tools next to the time range list, select one of the tags available in the list under the search bar, select the corresponding value in the adjacent list, and then click Add Filter to add the selection to your search criteria. Use this process to add multiple tags to the search criteria.
    • Under the search bar, you can perform the following additional actions:
      • Click IN or NOT IN to toggle between excluding or including fields (or tags) from your search criteria.
      • Click CASE or NOT CASE to apply case sensitivity or case insensitivity for field (or tag) values added to the search criteria.

        By default, case sensitivity is applied to field (or tag) values when you add them from the search results area or from the Filters panel. CASE indicates that the field (or tag) value is treated in a case-sensitive way, while NOT CASE indicates that the that the field (or tag) value is treated in a case-insensitive way.

        Note

        By default, all manually added search strings are treated in a case insensitive way. Therefore, field and tag values included in a manually added search string are treated in a case-insensitive way. You can make these values case-sensitive by using the CASE function. For more information, see Case-sensitive search and case-insensitive search.

        When you add a field or tag value from the search results area or from the Filters panel, it is assumed that you want to narrow down your search to the particular value selected. Therefore, by default, such field or tag values added to the search criteria (displayed under the search bar) are treated in a case-sensitive way. You can make it case-insensitive by toggling CASE to NOT CASE, under the search bar.

      • Remove a field (or tag) from your search criteria under the search bar by clicking Remove  next to the field (or tag) name.
      • Clear the fields and tags that you added to your search criteria under the search bar by clicking Clear .
      • View the search syntax for the fields and tags included under the search bar by clicking View query syntax.

        Tip

        You can also manually enter field names or tag names in your search criteria.

  4. Click Search to execute your search.

To add or delete fields from the list of favorites displayed on the Filters panel

  1. On the Search tab, enter a search string in the search bar and click Search.
  2. Perform one of the following actions:
    • To add a field to the list of favorites on the Filters panel, in the search results area, click Add to Fields next to the field entry.
    • To delete a field from the list of favorites on the Filters panel, under the Fields section on the left, click Remove next to the field that you want to delete.

      Note

      You cannot delete default fields.

Using search operators

You can also use the various search operators available for filtering data and narrowing down your search results. Search operators are words or symbols that you can add to your search string to narrow down results. For example, && (and), || (or), < (less than), > (greater than), and <> (not equal to).

For more information, see Search string syntax.

Was this page helpful? Yes No Submitting... Thank you

Comments