• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.0

    Page tree

    This topic provides the following information about performing various kinds of search to investigate your data.

    Performing a search

    You can perform a manual search by specifying a search string or name=value pair and view the results that match that word or phrase. 

    Example

    If you search for the word "transaction," you can see all data entries that contain that word.  

    You can also perform a wildcard search by specifying the asterisk (*) as a wildcard character. You can use the asterisk to substitute for one or more unspecified characters in your search string. 

    Example

    To search for org.springframework.beans.factory.BeanCreationException, enter one of the following strings:

    • org.springframework.beans.factory.BeanCreationException

    • *BeanCreationException

    • org.springframework.beans.factory*

    Your search string can contain words, phrases, or name=value pairs for fields, tags, and search commands. Also, you can perform various kinds of search by using the appropriate search syntax.

    For example, you can perform any of the following types of search:

    • A search that returns data containing the exact search string
    • A search for multiple words that returns data containing all of the words or only one of the words
    • A search that uses multiple search commands.

    For more information, see Search string syntax.

    You can perform a search by navigating to the Search tab, specifying your search criteria in the search bar, and clicking Search or pressing Enter to execute your search. When you perform a simple search without specifying a time context, by default, you will see search results for the last 60 minutes from your current time.

    You can click a word displayed in your search results to add it to the search criteria; a new search is then performed.

    When you perform a search, after one minute, the search gets automatically paused. You can resume the search to continue showing search results. To change the search pause time limit, you can add the indexing.psJobGetMoreTimeoutInmsec property by navigating to the searchserviceCustomConfig.properties file. This property defines the time limit (in milliseconds) after which the search (including notifications and views) times out. For more information, see Modifying the configuration files.

    If your search is taking too long to complete, you can either pause it and resume it later or cancel the search.

    Use one of the following options next to the search bar to pause, resume, or cancel (stop) a search:

    ActionIconDescription
    Pause SearchPause an ongoing search.
    Resume SearchResume a paused search.
    Cancel SearchCancel (or stop) a search from executing.

    Viewing and understanding search results

    When you perform a search, by default the search results and the Timeline Chart are displayed under the search bar.

    The search results can be viewed in two ways:

    • By using the Text View .
    • By using the Chart View .

    The following table provides information about the various views:

    UI elementDescription
    Text View

    This view displays the following information:

    • Timeline Chart: Summarizes the search results in the form of a timeline chart. This chart depicts how your search results are distributed over the time specified context. For more information about using this chart, see Using the Timeline and Summarization charts.
    • Time context: You can click Back and Forward under the Timeline Chart to shift the time context for your search results before or after the current time context. When you shift the time context, the time duration is the same as the current time context that you used for performing a search.
    • Search results: The search results contains a list of indexed data. A single data entry comprises the date, time stamp, time zone of the data entry, and multiple rows of data. If the time stamp for a data file is missing, the product automatically assigns a time stamp at the time of indexing. The time stamp assigned depends on the server on which the indexing mechanism is located. The following rows are displayed:
      • First row (raw data): Displays the indexed raw data entries. You can change the level of detail that you want to see by selecting one of the options in the View list displayed under the Timeline Chart.
        On every page, colored triangles marking the data collectors associated with the search results appear under the Timeline Chart. You can associate the search results with these colored triangles to find out the source of the data displayed.
      • Second row (tags): Displays the tags that you added while creating the data collector. You can click these tags to add to your search criteria and perform a new search.
      • Third row (fields): Displays the fields extracted at the time of indexing. You can click these fields to add to your search criteria and perform a new search. You can also add them to the list of favorite fields under My Fields on the left.
      You can perform the following actions on the search results:
      • Change level of detail: You can change the level of detail for the search results by selecting one of the following views under the Timeline Chart, to the right:
        • Detailed: Displays data and all fields extracted.
        • (Default) Optimized: Displays data and the default fields.
        • Expanded Minimal: Displays all data available so that you can see all entries without having to expand any entries.
        • Minimal: Displays the data available; however, if some entries have an excessive amount of data, you will need to expand the entry to see all of the data.
      • Change the number of results: By default, you can see up to 100 results of a search. You can move to the next page of results by selecting one of the number ranges from the list at the bottom of your screen. You can also click Back and Forward to toggle back and forth between the various pages.
    Chart View

    This view displays the following information:

    • Timeline Chart: Depicts how your search results are distributed over the specified time context.
    • Summarization Chart: Depending on your search criteria, displays a summary of your search results in the form of a bar diagram or pie chart.

    For more information about these charts, see Using the Timeline and Summarization charts.

    Searching with a time context

    You might want to search for keywords by providing a particular time frame for your search. Searching with a time context, can be useful when you want to locate events that might have occurred around a particular time frame. Searching with a time context can help you correlate information about events and thus aid your root-cause analysis. You can search for data containing specified search strings that were indexed in the last 15 minutes, 1 hour, 1 day, or 7 days from your current time. You can also search for data by providing a custom time range. 

    To search for key words in a particular time range

    1. Click the Search tab.
    2. Enter an appropriate search string in the search bar.
    3. On the time-range list, select one of the following time ranges to apply to your search:
      • Last 15 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 15 minutes of your current time. Click Search.
      • Last 60 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 60 minutes of your current time. Click Search.
      • Last 24 hours: Select this item to search for data (containing the specified search string) that occurred in the last 24 hours of your current time. Click Search.
      • Last 7 days: Select this item to search for data (containing the specified search string) that occurred in the last 7 days of your current time. Click Search.
      • Custom Time: Select this item if you want to specify a custom time range and search for data (containing the specified search string) that occurred for that particular time frame.
        On selecting this item, on the Select Time dialog box, specify the following information:
        1. From: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the starting point from where you want to see the data. Click Done.
        2. To: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the ending point until when you want to see the data. Click Done.
        3. Click OK and then click Search to run your search.

        The Timeline Chart appears, showing a summary of your search results, followed by a list of data entries that you can investigate or analyze.

        Note

        If you set a custom time for a duration that exceeds the value set in the Read from Past (#days) field when creating data collectors, you might not see any search results.

    4. (Optional) Browse through the data entries that appear before and after the time range that you specified, by clicking Back and Forward under the Timeline Chart.
      The time gap used to browse through the data entries depends on the time range you selected in step 3.
    5. (Optional) Right-click on a particular data entry in the search results, and search for results from the last 5 seconds, 30 seconds, 1 minute, and 5 minutes. When you do so, your search criterion changes to show search results for the data collector relevant to that data entry.

    Searching with fields and tags

    Fields are searchable name = value pairs in the event data that you indexed. When performing a search, you normally search against raw entries of your event data. To make your search more accurate, you can search by using fields. Fields are extracted from the data files at the time of indexing. By default, the HOST and COLLECTOR_NAME fields are displayed under My Fields, in the Filter Pane on the left, which you can collapse or expand by clicking Collapse  or Expand . You can also add additional fields under My Fields and then add those fields to your search criteria.

    Tags are field values that can be categorized in a certain way; for example, by location, department, operating system, and so on. Tags can be assigned to your event data when you creating a data collector. These tags are displayed under Tags, in the Filter Pane on the left, which you can collapse or expand by clicking Collapse  or Expand . You can narrow your search results by adding tags to your search criteria.

    When you add fields or tags from the Filter Pane to your search criteria and then execute the search, your original search query does not change. Instead, the fields and tags are displayed at the bottom of the search bar, where you can choose to include or exclude them, or clear them altogether. To be able to see the actual search query that is run when you execute a search by adding fields or tags from the Filter Pane, click Show Query.

    To perform a search by using fields and tags

    1. Click the Search tab.
    2. Enter an appropriate search string in the search bar and click Search.
    3. Perform one of the following actions:
      • To search by using fields, in the Filter Pane, select one or more of the field entries to add them to the search criteria displayed under the search bar. 

      • To search by using tags, in the Filter Pane, click one or more tags to add them to the search criteria displayed under the search bar.

      When you select multiple field entries (or tags), they are displayed under the search bar. You can click IN or NOT IN to toggle between excluding or including those fields (or tags) from your search criteria.
      To remove the field (or tag) from your search criteria, click Remove that is part of the field name (or tag name) under the search bar.
      To clear the fields and tags that you selected to add to your search criteria, click Clear .

      Tip

      You can manually enter field names or tag names in your search criteria.

    4. Click Search to execute your search.

    To add or delete fields in the list of favorites under the My Fields panel

    1. Click the Search tab.
    2. Enter an appropriate search string in the search bar and click Search.
    3. Perform one of the following actions:
      • In the search results area, click Add to My Fields next to the field entry.

      • To delete the field from under My Fields, click the Delete next to the field name that you want to delete.

        Note

        You cannot delete default fields.

    Running search queries from the workspace

    You can run search queries listed in the workspace for the original time context or the relative time context. If you run a search query for the original time context, the search results are displayed for the same period as the original time. If you run a search query for the relative time context, the search query is run for the current period but for the same time context as that of the original search query.

    For example, you can run the search query for the last 7 days as of September 1, 2014. If you run the search query for the original time context, you can see the same search results that were available as on September 1, 2014. But if you run the search query for the relative time context, as of October 1, 2014, you can see search results for the last 7 days from October 1, 2014.

    • To run a search query for the original time context, point to the desired search query and click Run.
    • To run a search query for the relative time context, point to the desired search query, click the down arrow next to Run, and select Relative time.

    Note

    You cannot run a custom time search query for the relative time context.

    Related topics

    Search commands

    Managing workspaces

    Search string syntax

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.