Searching the data

You can search in various ways; at a minimum, your search string can contain one or more words, phrases, name=value pairs, or a combination of all.

When you perform a search, search results matching the search query are displayed.

Example

If you search for the word "transaction," you can see all data entries that contain that word.  

This topic summarizes the various kinds of search that you can perform to investigate your data.

Related topics

Where to find more information

Search commands

Search string syntax

Search-tab

Perform a simple search

You can perform a search by navigating to the Search tab. To perform a search, specify your search criteria in the search bar, and click Search Search icon.jpg. Alternatively, press Enter to execute your search. The search results are displayed on the All Data page. For more information, see Search-results.

When you perform a simple search without specifying a time context; by default, you will see search results for the last 60 minutes from your current time.

Searching with a wildcard character

You can perform a wildcard search by specifying the asterisk (*) as a wildcard character. You can use the asterisk to substitute for one or more unspecified characters in your search string. 

Example

To search for org.springframework.beans.factory.BeanCreationException, enter one of the following strings:

  • org.springframework.beans.factory.BeanCreationException
  • *BeanCreationException
  • org.springframework.beans.factory*

Search string syntax

Your search string can contain words, phrases, name=value pairs, fields, tags, and search commands. The accuracy of your search results depends on the syntax used for specifying the search criteria. Depending on your search string syntax, the search results obtained can be generic or specific.

Examples

Specify a search string in the following ways:

  • Search string that returns search results containing the exact search string.
  • Search string for multiple words that returns search results containing all or only one of the words.
  • Search string that uses multiple search commands.

For more information, see Search-string-syntax.

Searching with a time context

You might want to search for keywords by providing a particular time frame for your search. Searching with a time context, can be useful when you want to locate events that might have occurred around a particular time frame. Searching with a time context can help you correlate information about events and thus aid your root-cause analysis. You can search for data containing specified search strings that were indexed in the last 15 minutes, 1 hour, 1 day, or 7 days from your current time. You can also search for data by providing a custom time range. 

To search for key words in a particular time range

  1. Click the Search tab.
  2. Enter an appropriate search string in the search bar.
  3. On the time-range list, select one of the following time ranges to apply to your search and click Search Search icon.jpg:
    • Last 5 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 5 minutes of your current time. 
    • Last 15 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 15 minutes of your current time. 
    • Last 60 minutes: Select this item to search for data (containing the specified search string) that occurred in the last 60 minutes of your current time.
    • Last 6 hours: Select this item to search for data (containing the specified search string) that occurred in the last 6 hours of your current time.
    • Last 24 hours: Select this item to search for data (containing the specified search string) that occurred in the last 24 hours of your current time.
    • Last 2 days: Select this item to search for data (containing the specified search string) that occurred in the last 2 days of your current time.
    • Last 7 days: Select this item to search for data (containing the specified search string) that occurred in the last 7 days of your current time.

    • Custom Time: Select this item if you want to specify a custom time range and search for data (containing the specified search string) that occurred for that particular time frame.
      On selecting this item, on the Select Time dialog box, specify the following information:

      1. From: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the starting point from where you want to see the data. Click Done.
      2. To: Click in this field to display a date and time picker and then specify an appropriate date and time to indicate the ending point until when you want to see the data. Click Done.
      3. Click OK.

      The timeline chart appears, showing a summary of your search results, followed by a list of data entries that you can investigate or analyze.

      Note

      If you set a custom time for a duration that exceeds the value set in the Read from Past (#days) field when creating data collectors, you might not see any search results.

      Alternatively, you can adjust the handles on the slider under the timeline chart to select a time range and click Search. This helps you easily select a custom time range and see the corresponding search results. For more information, see Using-the-timeline-and-summarization-charts.

  4. (Optional) Browse through the data entries that appear before and after the time range that you specified, by clicking Shift time context to previous shift time context to previous.jpg and Shift time context to next shift time context to next.jpg on the top-left of the timeline chart.
    The time gap used to browse through the data entries depends on the time range you selected in step 3.
  5. (Optional) Right-click on a particular record in the search results, and search for results from the last 5 seconds, 30 seconds, 1 minute, and 5 minutes.
  6. (Optional) Click one of the bars on the timeline chart to drill down into your search results. For more information, see Using-the-timeline-and-summarization-charts.

Searching with fields and tags

Fields are searchable name = value pairs in the event data that you indexed. When performing a search, you normally search against raw entries of your event data. To make your search more accurate, you can search by using fields. Fields are extracted from the data files at the time of indexing. By default, the HOST and COLLECTOR_NAME fields are displayed on the Filters panel, under the Fields section, on the left. You can also add additional fields under the Fields section and then add those fields to your search criteria.

The Filters panel can be collapsed or expanded by clicking Collapse collapse.png or Expand expand.png. If you are unable to view the field names properly, you can manually drag the Filters panel to get a better view.

Tags are field values that can be categorized in a certain way; for example, by location, department, operating system, and so on. Tags can be assigned to your event data when you creating a data collector. These tags are displayed under Tags, in the Filters panel on the left, which you can collapse or expand by clicking Collapse collapse.png or Expand expand.png. You can narrow your search results by adding tags to your search criteria.

When you use the Filters panel to add fields or tags to your search criteria, and then execute the search, your original search query does not change. Instead, the fields and tags are displayed at the bottom of the search bar, where you can choose to include or exclude them, or clear them altogether. To see the actual search query, that is run when you execute a search, click Show Query.

The following instructions describe the actions supported with performing a search with fields and tags:

To perform a search by using fields and tags

  1. Click the Search tab.
  2. Enter an appropriate search string in the search bar and click Search.

  3. Perform one of the following actions:

    • You can search by using fields in one of the following ways:
      • On the Filters panel, under the Fields section, select one or more of the field entries to add them to the search criteria displayed under the search bar.
      • Click a field appearing in your search results to add it to your search criteria displayed under the search bar.
    • You can search by using tags in one of the following ways:
      • On the Filters panel, under the Tags section, select one or more tags to add them to the search criteria displayed under the search bar.
      • Click a tag name appearing in your search results to add it to your search criteria displayed under the search bar.

    Under the search bar, you can click IN or NOT IN to toggle between excluding or including fields (or tags) from your search criteria.
    To remove the field (or tag) from your search criteria, click Remove cancel.png that is part of the field name (or tag name) under the search bar.
    To clear the fields and tags that you selected to add to your search criteria, click Clear clear.png.

    To view the search syntax for the fields and tags included, click View query syntax.

    Tip

    You can manually enter field names or tag names in your search criteria.

  4. Click Search to execute your search.

To add or delete fields from the list of favorites displayed on the Filters panel

  1. On the Search tab, enter a search string in the search bar and click Search.
  2. Perform one of the following actions:
    • To add a field to the list of favorites on the Filters panel, in the search results area, click Add to Fields Add to My Fields.png next to the field entry.

    • To delete a field from the list of favorites on the Filters panel, under the Fields section on the left, click Remove delete.png next to the field that you want to delete.

      Note

      You cannot delete default fields.

Performing an advanced search

Search commands are a set of commands containing arguments that can be run on the output of a particular search. You can chain a set of search commands so that the output of one search command is consumed as the input to the subsequent search command.

You can perform advanced searches by using search commands in your search criteria. In your search criteria, you can add a pipe (|) separator after your original search query, and then specify the search command. Multiple search commands can also be chained by using a pipe separator (|).

For more information, see Search-commands.

Running a saved search

  1. Navigate to the Saved Searches tab.
  2. Perform one of the following actions:
    • Click the name of the saved search that you want to execute.
    • Select the saved search that you want to execute and click Execute Search execute search.jpg.

For more information, see Managing-saved-searches.

Running a search from an existing dashlet

  1. Navigate to the appropriate dashboard page available under the Dashboards tab.

  2. Click the chart available in one of the dashlets to run the saved search query associated with the dashlet.
    The Search tab displays the search results for the saved search query.

    Note

    This kind of search is not available if the dashlet displays a line chart.

For more information, see Managing-dashboards.

Running a search while cross-launching from BMC ProactiveNet Performance Management

  1. On the BMC ProactiveNet Performance Management Operations Console, click Event Collectors on the left navigation pane.
  2. On the right side of the window, click Tools Menubppm tools menu.jpg, select Launch into IT Data Analytics, and then select the host name of the IT Data Analytics server that is registered with BMC ProactiveNet Performance Management. You see only those host names that were registered for cross-launch at the time of configuring the BMC ProactiveNet Performance Management server
  3. Provide the user credentials for logging on to IT Data Analytics.
    You can see search results for the search query, HOST="hostName" for 30 minutes before and 30 minutes after the event time.
    where, hostName refers to the host name associated with the event.

Tip

You can also cross-launch into BMC TrueSight IT Data Analytics from an event logged by using BMC TrueSight IT Data Analytics. To do this, under Event Collectors, navigate to the Details panel of an event, and then click the Show in BMC TrueSight ITDA URL for Object URI.

For more information, see Integrating-with-BMC-ProactiveNet-Performance-Management.

Continuing a paused search and stopping a search

When you perform a search on the Search tab, after one minute, the search gets automatically paused. When the search is automatically paused, a notification asking whether you want to continue searching or stop (or cancel) the search appears in the search bar. To continue searching and displaying search results, click the Resume link. To stop (or cancel) the search, click the Cancel link in the search bar.

To change the search pause time limit, add the indexing.psJobGetMoreTimeoutInmsec property in the searchserviceCustomConfig.properties file and save the file. This property defines the time limit (in milliseconds) after which the search (including notifications and dashboards) times out. For more information, see Modifying-the-configuration-files.

While your search is still on, you can manually cancel it by clicking Cancel Search Cancel Search.jpgat the end of the search bar.

Other actions available after performing a search

Use the following options on the Search tab to perform other actions after performing a search:

Action

Description

Export Results

If you want to save the search results for later viewing, you can export them.

To do this, click Export Results that is available at the top-right of the search results area.

You can export a maximum of 10,000 search results. You can change the maximum number of results to export, by navigating to Administration > System Settings.

You can export the results in one of the following formats:

  • CSV
  • Raw

Save Search

If you repeatedly run a particular search, you can save the search query for future use. Furthermore, you can use saved searches for adding dashboards and notifications.

To do this, click Save Search save search.jpgnext to the time range list.

For more information, see Managing-saved-searches.

Where to go from here

After performing a search, you can perform the following actions:

  • Compare the search results summarized on the timeline chart across different time contexts. For more information, see Search-results.
  • Analyze the pattern in which the search results are occurring for a particular search query. For more information, see Coalesced-results.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*