1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<title>LogAnalyzer Search Syntax</title>
</head>
<body>
<h1>LogAnalyzer Search Syntax</h1>
<p>This document describes how you can search in LogAnalyzer. Please note that
you can also always use the "advanced search" dialog to build the search string.
<p>A search term is always in the format "property:search" where property is the
data item you will search (for example the syslog tag, source system).
Available properties depend on the data source in use, parsers present,
and even the actual data. What usually is available is listed below. Please note that there
is a special case. Because it is so common to search inside the message text itself,
there is no property name for this - to perform this search, simply omit the
"property:" part.
<p>In LogAnalyzer we basically have two different types of data types which
are handled different from each other, these are: string and number. There is
also a date type filter and the message field, but these are handled separately
from the others fields. Every filter usually is delimited by spaces, and filters
from different fields are combined by AND.
<h3>String Fields</h3>
<p>For the string type fields, you can search for partially or full string
matches. Searching for full string matches can improve performance in your
logstream. If you have spaces in your search string, you need to replace them
with a + character, the reason is simple, because the space character splits the
filters. If you want to search for a single + sign, you need to replace it with
a double +, so + becomes ++ in your search string. To separate multiple search
values for the same fieldtype, you just need to separate them commas - but
remember, no spaces!
<p>String filters can be included in your search as well as excluded. All
included filter of a field type will be combined by OR which means if you search
for "Search1" and "Search2", you will results matching both strings. This is
different if you exclude strings from your search. Excluded filters from a field
type will be combined with AND for the simple reason, if you want to exclude
"Search1" and "Search2", you want that both are excluded, and one or the other.
<p>Below you will see how the syntax looks like:<ul>
<li>Search for a partially string match: <B>property:search</B></li>
<li>Search for multiple partially string matches: <B>property:search1,search2</B></li>
<li>Search for a full string match: <B>property:=search1,search2</B></li>
<li>Search for multiple full string matches: <B>property:=search</B></li>
<li>Exclude by a partially string match: <B>property:-search</B></li>
<li>Exclude multiple partially string matches: <B>property:-search1,-search2</B></li>
<li>Exclude by a full string match: <B>property:-=search</B></li>
<li>Exclude multiple full string matches: <B>property:-=search1,-=search2</B></li>
</ul>
</p>
<p>Additionally some Logstream sources support REGEX Searches when supported native. Currently the MySQL LogStream and PDO Logstream (MySQL and PostGRESQL only) support REGEX searches. To use REGEXP in searches, prepend the search phrase with the ~ character. See the samples below:
</p>
<p>Search samples with REGEX support: <ul>
<li>Search for REGEX string match: <B>property:~search</B></li>
<li>Exclude string by REGEX match: <B>property:-~search</B></li>
</ul>
</p>
<h3>Number Fields</h3>
<p>Number fields work similar to string fields, except that there are partially
matches, and the search value obviously must be a number. There are a few
exceptions where you can use string representations instead of numbers, but
these will be explained later.
<p>Below you will see how the syntax looks like:<ul>
<li>Search for a number: <B>property:1234</B></li>
<li>Search for multiple numbers: <B>property:1234,5678</B></li>
<li>Exclude a number from the search: <B>property:-1234</B></li>
<li>Exclude multiple numbers from the search: <B>property:-1234,-5678</B></li>
</ul>
<p> </p>
<h3>Date Field</h3>
<p>There is currently only one date field possible, and so we have two different
kinds of date filters we can use on this date field. The first option is to
search for a time range where you need to use the datefrom and dateto
properties. The date/time format has to be ISO TIMESTAMP (see RFC 3339 for more)
for both properties. The other option is datelastx which will filter for the
last hour (filter value 1), last 12 hours (filter value 2), last 24 hours
(filter value 3), last 7 days (filter value 4) and last 31 days (filter value
5). </p>
<ul>
<li>This search will filter for events starting at 2007-10-01 and ending at
2008-10-01: <B>datefrom:2007-10-1T00:00:00 dateto:2008-10-1T23:59:59</B></li>
<li>This search will show events from the last 24 hours: <B>datelastx:3</B></li>
</ul>
<p> </p>
<h3>Message Field</h3>
<p>The message field is a string type field and does not require the use of a
property. You can have include and exclude filters here as well. The main
difference to ordinary string filters is, that include filters are combined with
AND instead of OR. </p>
<ul>
<li>This search will include "test1": test1</li>
<li>This search will include "test1" and "test2": test1 test2</li>
<li>This search will exclude "test1": -test1</li>
<li>This search will exclude "test1" and "test2": -test1 -test2</li>
</ul>
<p> <p> <p>[<a href="manual.html">manual index</a>] [<a href="http://loganalyzer.adiscon.com">LogAnalyzer site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://loganalyzer.adiscon.com">Adiscon LogAnalyzer</a> project.<br>
Copyright © 2008-2011 by <a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.
<a href="http://loganalyzer.adiscon.com/commercial">Adiscon LogAnaylzer commercial licenses are also available.</a>
</font></p>
</body></html>
|