Search strategies

To perform a search, on the Search tab, you must specify search criteria and then click Search Search icon.jpg to see results matching those criteria. Alternatively, you can press Enter to run your search. For more information, see Performing-a-simple-search.

The following video (4:33) illustrates tips that you can use to search easily and more efficiently:

Note

The following video displays screens from an earlier version, however, the information provided in the video is still relevant to the current version of the product.

Related topics

Searching-for-data

Viewing-search-results

Type-ahead-search-suggestions

Analyzing-data

 

icon-play.png http://yt.vu/pq2K8_hj0rc

This following tips can help you refine your searches and get better results:

Tip 1: Search for substrings

Use the asterisk (*) as a wildcard character for any unknown terms in your search string. For more information, see Getting-started-with-search.

Tip 2: Focus on the time range

After specifying a search string, select a time range in which the data you are looking for is likely to occur. If you do not select an appropriate time range, then it is likely that you do not see any results, as that data might have occurred in the past. For more information about searching with a time context, see Filtering-your-search-results.

Another reason why you might not be able to search for past data can be due to the data retention period set. For more information about data retention and deletion, see Setting-up-data-collection.

Tip 3: Choose search terms carefully

While specifying a search criteria in the search box, choose terms that are likely to appear in the data that you are searching. For example, instead of searching for failure, search for error 401.

Depending on how you specify your search criteria, particular search results are highlighted. For more information, see Search-string-examples-and-their-results.

Best practice

Broad search scopes is one of the factors that affect search performance. BMC recommends that you use specific keywords for searching rather than a wildcard character (*) piped by search commands. Using specific key words helps you reduce data that is irrelevant. Therefore, BMC recommends you to search for specific data sources, data pattern types, data collectors, application tags, and specific errors instead of searching for the wildcard asterisk (*). For more information, see Variables-that-impact-product-performance.

Tip 4: Start simple

When you start searching, start simple and then add more details. For example, start with error 500.

You can add more details later. This means you can use various operators such as && (and), || (or) and then add more words in your search string. For example, if you are trying to find error 500 in the data occurring from a particular host, then you can specify the search string, error 500 && HOST=Houston.

Note that if you do not specify the && operator between two words that are separated by space, then the product automatically interprets the || operator between those words. In the preceding example, if you had not specified the && operator, then the string would be interpreted as error 500 || HOST=Houston.

For more information, see Search-string-syntax.

Tip 5: Use filters when possible

You can filter data and narrow down your search results in various ways. Filtering can help you get more accurate results.

Fields and tags can be added in various ways – by using the Search Tools on the landing page, by using the Filters panel (on the left) of the Search page, and from the search results area.

You can also filter results by changing the time context for which the search results are displayed. For example, if you want to see the data trend for the last 24 hours, you can select Last 24 hours from the time range list on the Search tab.

For more information, see Filtering-your-search-results.

Tip 6: Search for exact phrases

If you want to find results containing the exact string that you are searching for, then enclose the string in double quotes. For example, suppose you want to find the exact phrase, connection timed out, search for "connection timed out".

For more information, see Search-string-syntax.

Tip 7: Don't worry about the capitalization

You can ignore capitalization in the following scenarios:

  • Searching for plain text appearing in the raw data

    Example

    Searching for Response Size in the raw data is the same as response size.

  • Searching with search command names with the associated functions and operators

    Example

    Searching for ... | group maxevents=2 maxspan=2m is the same as ... | Group MaxEvents=2 MaxSpan=2m

  • Searching with field values and tag values when included in a manually added search string.

    Note that you can control case sensitivity for field values and tag values, but not field names and tag names. By default, field names and tag names are treated in a case sensitive way.

    Example
    • Searching for {{code language="none"}}
      OS=WINDOWS
      {{/code}}       is the same as {{code language="none"}}
      OS=Windows
      {{/code}}      .
      The field value, WINDOWS is case insensitive.
    • Searching for OS=Windows is not the same as os=Windows.
      The field name OS, is case sensitive.

For more information, see Case-sensitive search and case-insensitive search.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*