You can perform a manual search by specifying a search string or name=value pair and view the results that match that word or phrase.
This topic provides the following information about performing various kinds of search to investigate your data.
You can perform a search by navigating to the Search tab, specifying your search criteria in the search bar, and clicking Search or pressing Enter to execute your search. When you perform a simple search without specifying a time context, by default, you will see search results for the last 60 minutes from your current time.
You can click a word displayed in your search results to add it to the search criteria; a new search is then performed.
You can perform a wildcard search by specifying the asterisk (*) as a wildcard character. You can use the asterisk to substitute for one or more unspecified characters in your search string.
org.springframework.beans.factory.BeanCreationException, enter one of the following strings:
Your search string can contain words, phrases, or name=value pairs for fields, tags, and search commands. Also, you can perform various kinds of search by using the appropriate search syntax.
For example, you can perform any of the following types of search:
For more information, see.
When you perform a search, by default the search results and the Timeline Chart are displayed under the search bar.
The search results can be viewed in two ways:
The following table provides information about the various views:
The Text View displays the following information:
You can perform the following actions on the search results:
The Chart View displays the following information:
You might want to search for keywords by providing a particular time frame for your search. Searching with a time context, can be useful when you want to locate events that might have occurred around a particular time frame. Searching with a time context can help you correlate information about events and thus aid your root-cause analysis. You can search for data containing specified search strings that were indexed in the last 15 minutes, 1 hour, 1 day, or 7 days from your current time. You can also search for data by providing a custom time range.
The Timeline Chart appears, showing a summary of your search results, followed by a list of data entries that you can investigate or analyze.
If you set a custom time for a duration that exceeds the value set in the Read from Past (#days) field when creating data collectors, you might not see any search results.
Alternatively, you can adjust the handles on the slider under the Timeline Chart to select a time range and click Search. This helps you easily select a custom time range and see the corresponding search results. For more information, see Using the Timeline and Summarization charts.
are searchable name = value pairs in the event data that you indexed. When performing a search, you normally search against raw entries of your event data. To make your search more accurate, you can search by using fields. Fields are extracted from the data files at the time of indexing. By default, the HOST and COLLECTOR_NAME fields are displayed under My Fields, in the Filter Pane on the left. You can also add additional fields under My Fields and then add those fields to your search criteria.
The Filter Pane can be collapsed or expanded by clicking Collapseor Expand . If you are unable to view the field names properly, you can manually drag the Filter Pane to get a better view.
are field values that can be categorized in a certain way; for example, by location, department, operating system, and so on. Tags can be assigned to your event data when you creating a data collector. These tags are displayed under Tags, in the Filter Pane on the left, which you can collapse or expand by clicking Collapse or Expand . You can narrow your search results by adding tags to your search criteria.
When you add fields or tags from the Filter Pane to your search criteria and then execute the search, your original search query does not change. Instead, the fields and tags are displayed at the bottom of the search bar, where you can choose to include or exclude them, or clear them altogether. To be able to see the actual search query that is run when you execute a search by adding fields or tags from the Filter Pane, click Show Query.
To search by using tags, in the Filter Pane, click one or more tags to add them to the search criteria displayed under the search bar.
When you select multiple field entries (or tags), they are displayed under the search bar. You can click IN or NOT IN to toggle between excluding or including those fields (or tags) from your search criteria.
To remove the field (or tag) from your search criteria, click Remove that is part of the field name (or tag name) under the search bar.
To clear the fields and tags that you selected to add to your search criteria, click Clear .
To view the search syntax for the fields and tags included, click View query syntax.
You can manually enter field names or tag names in your search criteria.
To delete the field from under My Fields, click the Removenext to the field name that you want to delete.
You cannot delete default fields.
You can run search queries listed in the workspace for the original time context or the relative time context. If you run a search query for the original time context, the search results are displayed for the same period as the original time. If you run a search query for the relative time context, the search query is run for the current period but for the same time context as that of the original search query.
For example, you can run the search query for the last 7 days as of September 1, 2014. If you run the search query for the original time context, you can see the same search results that were available as on September 1, 2014. But if you run the search query for the relative time context, as of October 1, 2014, you can see search results for the last 7 days from October 1, 2014.
You cannot run a custom time search query for the relative time context.
When you perform a search, after one minute, the search gets automatically paused. You can resume the search to continue showing search results. To change the search pause time limit, you can add the
indexing.psJobGetMoreTimeoutInmsec property by navigating to the searchserviceCustomConfig.properties file. This property defines the time limit (in milliseconds) after which the search (including notifications and views) times out. For more information, see Modifying the configuration files.
If your search is taking too long to complete, you can either pause it and resume it later or cancel the search.
Use one of the following options next to the search bar to pause, resume, or cancel (stop) a search:
Use the following options on the Search tab to perform other actions after performing a search:
|Export Search Results|
If you want to save the search results for later viewing, you can export them.
You can export a maximum of 100,000 search results. You can change the maximum number of results to export, by navigating to Administration > System Settings.
You can export the results in one of the following formats:
If you repeatedly run a particular search, you can save the search query for future use.
Furthermore, you can use saved searches for adding views and notifications.
For more information, see Managing saved searches.