Search best practices

Before using the product for searching data, you need to factor all the search requirements that might affect your data collection strategy.

This topic contains the following information that you can use as search best practices:

 

Related topics

Where to find more information

Data-collection-best-practices

Search-tab

Search-commands

Troubleshooting-performance-issues

Planning your data collector configurations

Searching can be easier and more effective if you think ahead and factor your search requirements into your data-collection configuration strategy. You can start by making decisions about the factors listed in the following table when doing planning your data-collector configuration:

Search performance

The following factors can impact your search performance:

Using fields

Keep the following points in mind when you add field definitions and subsequently use them for search:

Creating complex search commands

When you are building a complex search command by chaining search commands (for example, error | filter greaterthan(price,"10") | timechart span=1d count(HOST)), follow these recommendations. This is necessary because the time slicing happens after all the search results are processed. This hampers the Search component capabilities and the results appear slowly.

  • Use existing examples of search syntax as a starting point.
  • When constructing multilevel search commands, build the search incrementally, and validate one level at a time.
  • After you have validated the results of a search command and you are satisfied with it, save the query to create a saved search. Saving a search ensure that the same search query can be reused and leveraged by others.

Using specific time ranges for search

Search results will be much more relevant if you try to focus on the time range during which the error occurred. For example, searching a specific 15-minute time range can yield more meaningful results than searching the last 24 hours.

It is recommended that you narrow your search by providing a more specific time range.

Backing up your saved searches

It is recommended that you save important search queries to create saved searches. BMC recommends that you periodically export all of your saved searches via a content pack. Doing so ensures that you have a backup of your important search queries outside of the system. 

Scaling the Search components

While deploying multiple Search components in your environment, ensure that all the Search components are operating in the same time zone. Doing this is important for scheduling notifications correctly.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*