LogAnalyzer Search Syntax

This document describes how you can search in LogAnalyzer. Please note that you can also always use the "advanced search" dialog to build the search string.

A search term is always in the format "property:search" where property is the data item you will search (for example the syslog tag, source system). Available properties depend on the data source in use, parsers present, and even the actual data. What usually is available is listed below. Please note that there is a special case. Because it is so common to search inside the message text itself, there is no property name for this - to perform this search, simply omit the "property:" part.

In LogAnalyzer we basically have two different types of data types which are handled different from each other, these are: string and number. There is also a date type filter and the message field, but these are handled separately from the others fields. Every filter usually is delimited by spaces, and filters from different fields are combined by AND.

String Fields

For the string type fields, you can search for partially or full string matches. Searching for full string matches can improve performance in your logstream. If you have spaces in your search string, you need to replace them with a + character, the reason is simple, because the space character splits the filters. If you want to search for a single + sign, you need to replace it with a double +, so + becomes ++ in your search string. To separate multiple search values for the same fieldtype, you just need to separate them commas - but remember, no spaces!

String filters can be included in your search as well as excluded. All included filter of a field type will be combined by OR which means if you search for "Search1" and "Search2", you will results matching both strings. This is different if you exclude strings from your search. Excluded filters from a field type will be combined with AND for the simple reason, if you want to exclude "Search1" and "Search2", you want that both are excluded, and one or the other.

Below you will see how the syntax looks like:

  • Search for a partially string match: property:search
  • Search for multiple partially string matches: property:search1,search2
  • Search for a full string match: property:=search1,search2
  • Search for multiple full string matches: property:=search
  • Exclude by a partially string match: property:-search
  • Exclude multiple partially string matches: property:-search1,-search2
  • Exclude by a full string match: property:-=search
  • Exclude multiple full string matches: property:-=search1,-=search2

Additionally some Logstream sources support REGEX Searches when supported native. Currently the MySQL LogStream and PDO Logstream (MySQL and PostGRESQL only) support REGEX searches. To use REGEXP in searches, prepend the search phrase with the ~ character. See the samples below:

Search samples with REGEX support:

  • Search for REGEX string match: property:~search
  • Exclude string by REGEX match: property:-~search

Number Fields

Number fields work similar to string fields, except that there are partially matches, and the search value obviously must be a number. There are a few exceptions where you can use string representations instead of numbers, but these will be explained later.

Below you will see how the syntax looks like:

  • Search for a number: property:1234
  • Search for multiple numbers: property:1234,5678
  • Exclude a number from the search: property:-1234
  • Exclude multiple numbers from the search: property:-1234,-5678

 

Date Field

There is currently only one date field possible, and so we have two different kinds of date filters we can use on this date field. The first option is to search for a time range where you need to use the datefrom and dateto properties. The date/time format has to be ISO TIMESTAMP (see RFC 3339 for more) for both properties. The other option is datelastx which will filter for the last hour (filter value 1), last 12 hours (filter value 2), last 24 hours (filter value 3), last 7 days (filter value 4) and last 31 days (filter value 5).

  • This search will filter for events starting at 2007-10-01 and ending at 2008-10-01: datefrom:2007-10-1T00:00:00 dateto:2008-10-1T23:59:59
  • This search will show events from the last 24 hours: datelastx:3

 

Message Field

The message field is a string type field and does not require the use of a property. You can have include and exclude filters here as well. The main difference to ordinary string filters is, that include filters are combined with AND instead of OR.

  • This search will include "test1": test1
  • This search will include "test1" and "test2": test1 test2
  • This search will exclude "test1": -test1
  • This search will exclude "test1" and "test2": -test1 -test2

 

 

[manual index] [LogAnalyzer site]

This documentation is part of the Adiscon LogAnalyzer project.
Copyright © 2008-2011 by Adiscon. Released under the GNU GPL version 3 or higher. Adiscon LogAnaylzer commercial licenses are also available.