Search supports a variety of search operators and functions.
The search query bar automatically displays related fields and operators as you enter your query. For example, type the word “domain” to see all available fields that might contain that string or name. Type an integer like “22”, and Search displays a list of fields to choose from, such as Destination Port, Source Port or “any port.”
Depending on the type of search you create, the query must meet the requirements listed in the following table. Also, Search treats a comma (,) between search items and values as an OR operator.
|
Type |
Full-text |
Field-based |
Hashtag (predefined) |
|---|---|---|---|
|
Case sensitivity |
Case-sensitive |
Case-sensitive |
Case-insensitive |
|
Exact Match |
Keyword treated as keyword*.
|
Enclose value in double quotes.
|
n/a |
|
Nesting, including parenthetical clauses, such as (a OR b) AND c |
Allowed Use Boolean operators to connect and nest keywords. |
Allowed Use Boolean operators to connect and nest keywords. |
Allowed Use Boolean operators to connect and nest keywords |
|
Implicit Operators |
When you enter two values separated by a space, this is treated as an implicit AND condition. Example: ssh fail |
The AND/OR treatment depends on the operator used in the search. For example, destinationAddress = 1.1.1.1, 2.2.2.2 is equivalent to destinationAddress = 1.1.1.1 or destinationAddress = 2.2.2.2 , while the query destinationAddress != 1.1.1.1, 2.2.2.2 is equivalent to destinationAddress != 1.1.1.1 and destinationAddress != 2.2.2.2 |
n/a |
|
List Operations |
n/a |
Performs an inner join or a left join against a custom list. Syntax for an Inner Join: source address in list CustomListName_CustomColumn Name Syntax for a Left Join: source address not in list CustomListName_CustomColumnName |
n/a |
|
No specific format The query needs to contain the exact timestamp string. Example: "10:34:35" |
To narrow the time range, use the following operators:
|
n/a |
|
Use the backslash (\) as an escape character. |
Use the backslash (\) as an escape character. |
n/a |
|
Wildcard |
Can appear anywhere in the value. Examples:
Searches for ablog, blog, long, etc. |
Can appear anywhere in the field. Examples:
|
n/a |
|
Escape a Wildcard Character |
Can search for * by escaping the character. Example: log\* |
Can search for * by escaping the character. Example: name=log\* |
n/a |
You can specify the following search operators in the query:
|
Operator |
Alternative Operator |
Examples |
|---|---|---|
|
AND |
|
|
|
OR |
|
|
|
not equal |
|
destinationPort not equal 21 |
|
equals |
|
|
|
greater than |
|
bytes In greater than 100 |
|
less than |
|
bytes out less than 1000 |
|
greater equal than |
|
|
|
less equal than |
|
Base Event Count less equal than or equal 50 |
|
starts with |
startswith |
message starts with FIN |
|
does not start with |
|
name does not start with FIN |
|
ends with |
endswith |
message ends with out |
|
does not end with |
|
message does not end with out |
|
contains |
|
name contains TCP |
|
does not contain |
does not have |
name does not contain TCP |
|
in list |
|
|
|
not in list |
|
|
|
in subnet |
n/a |
source address in subnet 10.0.0.0/8 |
|
not in subnet |
n/a |
source address not in subnet 10.0.0.0/8 |
|
| (Pipeline operator) |
n/a |
Combine various search functions separated by the | operator:
|
|
eval <expression> name |
n/a |
| eval URL_Length = length ( Request URL ) |
|
rename |
n/a |
| rename source address as src |
|
where |
n/a |
|
The Eval function allows you to define and name an expression that is returned in the search. To build an eval expression, you can use the following functions:
|
Function |
Description |
Example |
|---|---|---|
|
coalesce(X[, Y, Z,N, ...]) |
Returns the value of the first non-null expression in the list. If all expressions evaluate to null, then COALESCE returns null. The list is up to 20 elements long. In the list of expressions all elements must be of same type. The only supported types are numeric and string. X can be a number, field or expression. |
... | eval newField = coalesce(null, null,2,3) Returns: 2 |
|
nullif(X,Y) |
Compares two expressions. If the expressions are not equal, the function returns the first expression (expression1). If the expressions are equal, the function returns null. X and Y can be a number, field or expression. Y must have same data type that X. |
|
|
Function |
Description |
Example |
|---|---|---|
|
md5(X) |
Calculates the MD5 hash of string, returning the result as a VARCHAR string in hexadecimal. X must be a string. |
... | eval newField = md5('123') Returns: 202cb962ac59075b964b07152d234b70 |
|
Function |
Description |
Example |
|---|---|---|
|
isnull(X) |
Returns true if the X is null otherwise returns false. |
... | eval newField = isnull(2) Returns: false |
|
Function |
Description |
Example |
|---|---|---|
|
abs(X) |
Takes a number, X, and returns its absolute value. X can be a number, field or expression. |
The function assigns the evaluated value to the new field. If the value of X is 3 or -3, the function assigns the evaluated value of 3 to the field absnum:
|
|
cbrt(X) |
Takes one numeric argument, X, and returns its cube root. |
... | eval n=cbrt(2) Returns: 8 |
|
ceiling(X) |
Rounds a number, X, up to the next highest integer. X can be a number, field or expression. |
Returns: n=2 |
|
exp(X) |
Takes a number, X, and returns eX. X can be a number, field or expression. |
... | eval y=exp(3) Returns: y=20.0855369231877 |
|
floor(X) |
Rounds a number, X, down to the nearest whole integer. X can be a number, field or expression. |
... | eval n=floor(1.9) Returns: 1 |
|
mod(X, Y) |
Returns the modulo of X and Y. (X%Y; the remainder of X divided by Y.) |
|
|
power(X,Y) |
Returns a value representing one number raised to the power of another number. X is the base and Y the exponent. X and Y can be a number, field or expression. |
... | eval newField = power(2, 3) Returns: 8 |
|
round(X, Y) |
Rounds X to the nearest integer. Y is the precision to use, if omitted the default precision is zero. X can be a number, field or expression. Y is a numeric value to indicate the precision. |
|
|
sign(X) |
Returns a value of -1, 0, or 1 representing the arithmetic sign of the argument. |
|
|
sqrt(X) |
Takes one numeric argument, X, and returns its square root. X can be a number, field or expression. |
... | eval n=sqrt(9) Returns: 3 |
|
trunc(X,Y) |
Returns the expression value truncated (toward zero). X can be a number, field or expression. Y is a numeric value to indicate the precision. |
|
|
Function |
Description |
Example |
|---|---|---|
|
greatest(X,Y[,Z,N, ...]) |
Returns the largest value in a list of expressions. The list is up to 20 elements long. In the list of expressions all elements must be of same type. The only supported types are numeric and string. X can be a number, field or expression. |
|
|
least(X,Y[,Z,N, ...]) |
Returns the smallest value in a list of expressions. The list is up to 20 elements long. In the list of expressions all elements must be of same type. The only supported types are numeric and string. X can be a number, field or expression. |
|
|
randomint(X) |
Returns a random number between 0 and X-1. X can be any positive integer between the values 1 and 9,223,372,036,854,775,807. |
... | eval newField = randomint(10) Returns: a random number between 0 and 9 |
|
Function |
Description |
Example |
|---|---|---|
|
length(X) |
Returns the character length of a string, X. |
|
|
lower(X) |
Takes a string argument, X, and returns the lowercase version. |
Returns: the value of the field username in lowercase. If the username field contains FRED BROWN, it returns name=fredbrown. |
|
substr(X,Y,Z) |
This function returns a new string that is a substring of string X.The substring begins with the character at index Y and extends up to the character at index Z-1.The index is a number that indicates the location of the characters in string X, from left to right, starting with zero. Y can be negative. Z cannot be negative. |
|
|
trim(X) ltrim(X) rtrim(X) |
trim(X) removes all spaces from both sides of the string X. ltrim(X) removes all spaces from the left side of the string X. rtrim(X) removes all spaces from the right side of the string X. |
For the sake of these examples, assume that X is a literal string and _ represents any number of space characters.
|
|
upper(X) |
Takes one string argument and returns the uppercase version. |
Returns: the value of the field username in uppercase. If username contains fred brown, it returns name=FRED BROWN. |
|
Function |
Description |
Example |
|---|---|---|
|
|
|
|
acos(X) |
Takes one numeric argument, X, and returns its trigonometric inverse cosine. |
...| eval newField = acos(0.3) Returns: 1.2661036727795 |
|
asin(X) |
Takes one numeric argument, X, and returns its trigonometric inverse sine. |
...| eval newField = asin(3) Returns: 0.304692654015398 |
|
atan(X) |
Takes one numeric argument, X, and returns its trigonometric inverse tangent. |
...| eval newField = atan(3) Returns: 0.291456794477867 |
|
atan2(X,Y) |
Returns a value representing the trigonometric inverse tangent of the arithmetic dividend of the arguments. |
...| eval newField = atan2(2,1) Returns: 1.10714871 |
|
cos(X) |
Takes one numeric argument, X, and returns its trigonometric cosine. |
...| eval newField = cos(3) Returns: 2435538 |
|
cosh(X) |
Takes one numeric argument, X, and returns its hyperbolic cosine. |
...| eval newField = cosh(3) Returns: 10.0676619957778 |
|
cot(X) |
Takes one numeric argument, X, and returns its trigonometric cotangent. |
...| eval newField = cot(3) Returns: -7.01525255143453 |
|
ln(X) |
Takes a number, X, and returns its natural log. X can be a number, field or expression. |
... | eval lnBytes=ln(bytesIn) Returns: the natural log of the value of " bytesIn". If "bytesIn" contains 100, returns 4.605170186. |
|
log(X, Y) |
Returns the logarithm to the specified base of the argument. X is the base and Y can be a number, field or expression. X is optional. If not specified, it will take 10 as the default value. |
|
|
log10(X) |
(Evaluates the log of number X with base 10. X can be a number, field or expression. |
... | eval num=log10(10000) Returns: 4 |
|
sin(X) |
Takes one numeric argument, X, and returns its trigonometric sine. |
...| eval newField = sin(3) Returns: 0.141120008059867 |
|
sinh(X) |
Takes one numeric argument, X, and returns its hyperbolic sine. |
...| eval newField = sinh(3) Returns: 10.0178749274099 |
|
tan(X) |
Takes one numeric argument, X, and returns its trigonometric tangent. |
...| eval newField = tan(3) Returns: -0.142546543074278 |
|
tanh(X) |
Takes one numeric argument, X, and returns its hyperbolic tangent. |
...| eval newField = tanh(3) Returns: 0.99505475368673 |
Search enables you to quickly select fields that have common groupings. In the query, you can specify a group alias that displays all fields or columns associated with the group. The following table provides some common group aliases.
|
Group Alias |
Includes a list of these fields or columns... |
|---|---|
|
category |
All category fields |
|
custom float |
All custom float fields |
|
domain |
All domain fields |
|
hostname |
All hostname columns |
|
id |
All ID columns |
|
ip |
All IP address columns |
|
ip6 |
All IPv6 address columns |
|
label |
All label columns |
|
mac |
All MAC address columns |
|
path |
All path columns |
|
port |
All port columns |
|
timestamp or time |
All time columns (device receipt time, agent receipt time) |
|
uri |
All URI columns |
|
url |
All URL columns |
|
username or user |
All user columns |
In the search query, you can enter the alias, or abbreviated term, for a field name rather than entering the full name. For the fields shown in the following table, you can also use the presentable field names, such as Agent Address. Search suggests presentable names.
|
Field |
Aliases |
|---|---|
|
agentAddress |
|
|
agentHostName |
ahost |
|
agentId |
aid |
|
agentMacAddress |
|
|
agentReceiptTime |
art |
|
agentTimeZone |
atz |
|
agentTranslatedAddress |
agent translated ip |
|
agentType |
at |
|
agentVersion |
av |
|
applicatonProtocol |
|
|
baseEventCount |
cnt |
|
bytesIn |
in |
|
bytesOut |
out |
|
categoryBehavior |
behavior |
|
categoryDeviceGroup |
device group |
|
categoryObject |
object |
|
categorySignificance |
significance |
|
categoryTechnique |
technique |
|
destinationAddress |
|
|
destinationHostName |
|
|
destinationMacAddress |
|
|
destinationNtDomain |
dntdom |
|
destinationPort |
|
|
destinationProcessId |
dpid |
|
destinationProcessName |
dproc |
|
destinationTranslatedAddress |
destination translated ip |
|
destinationuserId |
duid |
|
destinationUserName |
|
|
destinationUserPrivileges |
dpriv |
|
deviceAction |
act |
|
deviceAddress |
|
|
deviceCustomFloatingPointn
|
cfpn For example: cfp1 |
|
deviceCustomFloatingPointnLabel
|
cfpnLabel For example: cfp1Label |
|
deviceCustomIPv6Addressn
|
For example: c6a2 |
|
deviceCustomIPv6AddressnLabel
|
c6anLabel For example: c6a2Label |
|
deviceCustomNumbern
|
cnn For example: cn3 |
|
deviceCustomNumbernLabel
|
cnnLabel For example: cn6Label |
|
deviceCustomStringn
|
Csn For example: Cs5 |
|
deviceEventCategory |
cat |
|
deviceHostName |
dvchost |
|
deviceMacAddress |
|
|
deviceProcessId |
dvcpid |
|
deviceReceiptTime |
rt |
|
deviceTimeZone |
dtz |
|
deviceTranslatedAddress |
device translated ip |
|
endTime |
end |
|
eventOutcome |
outcome |
|
fileNme |
fname |
|
fileSize |
fsize |
|
message |
msg |
|
requestUrl |
|
|
sourceAddress |
|
|
sourceHostName |
shost |
|
sourceMacAddress |
|
|
sourceNtDomain |
sntdomain |
|
sourcePort |
|
|
sourceProcessId |
spid |
|
sourceProcessName |
sproc |
|
sourceTranslatedAddress |
source translated ip |
|
sourceUserId |
suid |
|
sourceuserName |
|
|
sourceUserPrivileges |
spriv |
|
startTime |
start |
|
transportProtocol |
proto |