Filtering your search results

Searching with a time context

You might want to search for keywords by providing a particular time frame for your search. Searching with a time context, can be useful when you want to locate events that might have occurred around a particular time frame. Searching with a time context can help you correlate information about events and thus aid your root-cause analysis. You can search for data containing specified search strings that were indexed in the last 15 minutes, 1 hour, 1 day, or 7 days from your current time. You can also search for data by providing a custom time range. 

To search for key words in a particular time range

1. Click the Search tab.
2. Enter an appropriate search string in the search bar.
3. On the time-range list, select one of the following time ranges to apply to your search and click Search :
   • Last 5 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 5 minutes of your current time. 
   • Last 15 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 15 minutes of your current time. 
   • Last 60 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 60 minutes of your current time.
   • Last 6 hours: Select this item to search for data (containing the specified search string) that occurred in the last 6 hours of your current time.
   • Last 24 hours: Select this item to search for data (containing the specified search string) that occurred in the last 24 hours of your current time.
   • Last 2 days: Select this item to search for data (containing the specified search string) that occurred in the last 2 days of your current time.
   • Last 7 days: Select this item to search for data (containing the specified search string) that occurred in the last 7 days of your current time.
   • Custom Time: Select this item if you want to specify a custom time range and search for data (containing the specified search string) that occurred for that particular time frame.
     On selecting this item, on the Select Time dialog box, specify the following information:
     1. From: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the starting point from where you want to see the data. Click Done.
     2. To: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the ending point until when you want to see the data. Click Done.
     3. Click OK.

     The timeline chart appears, showing a summary of your search results, followed by a list of data entries that you can investigate or analyze.

     Note

     If you set a custom time for a duration that exceeds the value set in the Read from Past (#days) field when creating data collectors, you might not see any search results.

     Alternatively, you can adjust the handles on the slider under the timeline chart to select a time range and click Search. This helps you easily select a custom time range and see the corresponding search results. For more information, see Using the timeline and summarization charts.

4. (Optional) Browse through the data entries that appear before and after the time range that you specified, by clicking Shift time context to previous  and Shift time context to next  on the top-left of the timeline chart.
   The time gap used to browse through the data entries depends on the time range you selected in step 3.
5. (Optional) Right-click on a particular record in the search results, and search for results from the last 5 seconds, 30 seconds, 1 minute, and 5 minutes.
6. (Optional) Click one of the bars on the timeline chart to drill down into your search results. For more information, see Using the timeline and summarization charts.

Searching with fields and tags

Fields are searchable name=value pairs in the event data that you indexed. When performing a search, you normally search against raw entries of your event data. To make your search more accurate, you can search by using fields. Fields are extracted from the data files at the time of indexing. By default, the HOST and COLLECTOR_NAME fields are displayed on the Filters panel, under the Fields section, on the left. You can also add additional fields under the Fields section and then add those fields to your search criteria. The Filters panel can be collapsed or expanded by clicking Collapse  or Expand . If you are unable to view the field names properly, you can manually drag the Filters panel to get a better view.

Tags are field values that can be categorized in a certain way; for example, by location, department, operating system, and so on. Tags can be assigned to your event data when you creating a data collector. These tags are displayed under Tags, in the Filters panel on the left, which you can collapse or expand by clicking Collapse  or Expand . You can narrow your search results by adding tags to your search criteria.

You can add fields and tags to your search criteria in various ways to narrow down your results. You can select fields and tags from the Filters panel. You can also click the fields and tags available in the search results area to add it to the search criteria. Additionally, on the Search landing page, when you can click Search Tools, you can select the following default fields or the tags present in the system along with their corresponding value. When you select fields and tags, they are added it to the search criteria.

• COLLECTOR_NAME
• DATA_PATTERN

When you add fields or tags to your search criteria, and run the search, your original search query does not change. Instead, the fields and tags are displayed at the bottom of the search bar, where you can choose to include or exclude them, or clear them altogether. To see the actual search query, that is run when you execute a search, click Show Query.

The following instructions describe the actions supported with performing a search with fields and tags: