Search string syntax
A search string can contain words, phrases, name=value pairs, and search commands. Each search string expression can be enclosed in parentheses. In the absence of parentheses, the parentheses are assumed from right to left.
The search string syntax comprises two portions, initial keywords followed by search commands, as in the following example:
Search string = Keywords | Search command1 | Search command2
In this example, the following values apply:
- The first portion (keywords) refers to particular words, phrases, and name=value pairs with which you start your search.
- The second portion (search commands) can be run only on the output of the first portion. You can chain multiple search commands so that the output of one command is consumed as the input of the subsequent command.
This topic contains the following information:
Related topics
Kinds of search string syntax
The following table describes the various kinds of syntax that you can use in your search string. For a list of examples with the appropriate search results that are expected to be highlighted, see Examples of search string results.
Kinds of search syntax
About phrases
The term phrase refers to a combination of alphanumeric characters separated by space. When you search for a phrase, the product matches the exact sequence as it occurs in the search string excluding the delimiters (if any).
If you search for a phrase without enclosing it in double quotes ("), the product finds all data containing one or more of the words that constitute the phrase. Conversely, if you enclose the phrase in double quotes, the search engine looks for data containing the entire phrase as specified.
Phrases can also be referred to as string literals.
You can also search for field values containing spaces by treating them as phrase. For example, to find COLLECTOR_NAME=Win DC1, search for COLLECTOR_NAME="Win DC1".
Search command chaining
You can run search commands on the output of a particular search that you have already performed. For example, the search string, key1=value1 && stringliteral | tail 5 results in the following actions:
- Firstly, the product searches for data that contains both key1=value1 and stringliteral.
- Secondly, the tail search command is run on the output of the search performed in step 1.
In the course of your data investigation, you can chain a set of commands so that the output of one command is consumed as the input to the subsequent command. You can chain multiple commands by using the pipe (|) operator:
Syntax: searchString | Searchcommand1 | SearchCommand2
For detailed information about the syntax for each of the commands, see the individual search command command pages at Search commands.
For a summary of the search syntax for each of the commands, see Search string syntax.
Search string syntax samples
The following table lists search string syntax samples and describes how they are interpreted by the product.
Search string syntax samples
Special characters and their effect on search
You cannot search for special characters literally. For example, if the data contains, ab@mail, searching for @ literally does not return any results. But you can ignore particular special characters to get results. You can do this by specifying a backward slash before the character in the search string or by enclosing the string in double quotes.
These scenarios are described as follows:
- To find data containing double quotes or a backward slash (\), place a backward slash before the double quotes (or backward slash) and then search.
- To find data containing pipe or asterisk, enclose the string containing the pipe (or asterisk) in double quotes and then search.
Delimiters and their effect on search
When you perform a search, all special characters in your data act as delimiters. Delimiters are characters that separate text strings (letters and numbers) and mark the beginning or the end of a particular text string. The common delimiters are period (.), space ( ), comma (,), semicolon (;), pipe (|), underscore (_), slashes (/ \), and so on.
Delimiters affect the way your search works and which part of the data is highlighted.
The following table provides a list of search strings and their effect on the search results that are displayed, with the text highlighted in blue:
Search string | Result highlighted | Delimiters |
|---|---|---|
error and exception | error.and.exception | Period (.) |
log* | logger appender logged logged_off log.bmc.logger | Underscore (_) Period (.) |
log | log.bmc.logger | Period (.) |
WIFI* && "192.168.81.100" | WIFIMacAddress, blocking 192.168.81.100 | Period (.) Comma (,) |
"192.168.81.100" | routing 192 policy applied on 192.168.81.100 | Period (.) |
192.168.81.100 | routing 192 policy applied on 192.168.81.100 | Period (.) |
Syntax for searching the product metrics file
If you want to perform a search on the log files generated by the product (for the Collection Station and Search components), your search string must be in the following format:
_index=metrics searchCriteria
You can also generate a graph that plots a line chart for the contents of the Collection_metrics log file to show you the events indexed in the last week. This graph is available when you click the Search tab.
For more information, see Monitoring-the-product-metric-files.