loganalyzer/doc/searching.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<title>LogAnalyzer Search Syntax</title>
</head>
<body>
<h1>LogAnalyzer Search Syntax</h1>
<p>This document describes how you can search in LogAnalyzer. Please note that
you can also always use the "advanced search" dialog to build the search string.

<p>A search term is always in the format "property:search" where property is the
data item you will search (for example the syslog tag, source system).
Available properties depend on the data source in use, parsers present,
and even the actual data. What usually is available is listed below. Please note that there
is a special case. Because it is so common to search inside the message text itself,
there is no property name for this - to perform this search, simply omit the
"property:" part.
<p>In LogAnalyzer we basically have two different types of data types which 
are handled different from each other, these are: string and number. There is 
also a date type filter and the message field, but these are handled separately 
from the others fields. Every filter usually is delimited by spaces, and filters 
from different fields are combined by AND.

<h3>String Fields</h3>
<p>For the string type fields, you can search for partially or full string 
matches. Searching for full string matches can improve performance in your 
logstream. If you have spaces in your search string, you need to replace them 
with a + character, the reason is simple, because the space character splits the 
filters. If you want to search for a single + sign, you need to replace it with 
a double +, so + becomes ++ in your search string. To separate multiple search 
values for the same fieldtype, you just need to separate them commas - but 
remember, no spaces! 

<p>String filters can be included in your search as well as excluded. All 
included filter of a field type will be combined by OR which means if you search 
for &quot;Search1&quot; and &quot;Search2&quot;, you will results matching both strings. This is 
different if you exclude strings from your search. Excluded filters from a field 
type will be combined with AND for the simple reason, if you want to exclude 
&quot;Search1&quot; and &quot;Search2&quot;, you want that both are excluded, and one or the other. 

<p>Below you will see how the syntax looks like:<ul>
	<li>Search for a partially string match: <B>property:search</B></li>
	<li>Search for multiple partially string matches: <B>property:search1,search2</B></li>
	<li>Search for a full string match: <B>property:=search1,search2</B></li>
	<li>Search for multiple full string matches: <B>property:=search</B></li>
	<li>Exclude by a partially string match: <B>property:-search</B></li>
	<li>Exclude multiple partially string matches: <B>property:-search1,-search2</B></li>
	<li>Exclude by a full string match: <B>property:-=search</B></li>
	<li>Exclude multiple full string matches: <B>property:-=search1,-=search2</B></li>
</ul>
</p>

<p>Additionally some Logstream sources support REGEX Searches when supported native. Currently the MySQL LogStream and PDO Logstream (MySQL and PostGRESQL only) support REGEX searches. To use REGEXP in searches, prepend the search phrase with the ~ character. See the samples below:
</p>
<p>Search samples with REGEX support: <ul>
	<li>Search for REGEX string match: <B>property:~search</B></li>
	<li>Exclude string by REGEX match: <B>property:-~search</B></li>
</ul>
</p>

<h3>Number Fields</h3>
<p>Number fields work similar to string fields, except that there are partially 
matches, and the search value obviously must be a number. There are a few 
exceptions where you can use string representations instead of numbers, but 
these will be explained later. 

<p>Below you will see how the syntax looks like:<ul>
	<li>Search for a number: <B>property:1234</B></li>
	<li>Search for multiple numbers: <B>property:1234,5678</B></li>
	<li>Exclude a number from the search: <B>property:-1234</B></li>
	<li>Exclude multiple numbers from the search: <B>property:-1234,-5678</B></li>
</ul>
<p>&nbsp;</p>
<h3>Date Field</h3>
<p>There is currently only one date field possible, and so we have two different 
kinds of date filters we can use on this date field. The first option is to 
search for a time range where you need to use the datefrom and dateto 
properties. The date/time format has to be ISO TIMESTAMP (see RFC 3339 for more) 
for both properties. The other option is datelastx which will filter for the 
last hour (filter value 1), last 12 hours (filter value 2), last 24 hours 
(filter value 3), last 7 days (filter value 4) and last 31 days (filter value 
5). </p>
<ul>
	<li>This search will filter for events starting at 2007-10-01 and ending at 
	2008-10-01: <B>datefrom:2007-10-1T00:00:00 dateto:2008-10-1T23:59:59</B></li>
	<li>This search will show events from the last 24 hours: <B>datelastx:3</B></li>
</ul>
<p>&nbsp;</p>
<h3>Message Field</h3>
<p>The message field is a string type field and does not require the use of a 
property. You can have include and exclude filters here as well. The main 
difference to ordinary string filters is, that include filters are combined with 
AND instead of OR. </p>
<ul>
	<li>This search will include &quot;test1&quot;: test1</li>
	<li>This search will include &quot;test1&quot; and &quot;test2&quot;: test1 test2</li>
	<li>This search will exclude &quot;test1&quot;: -test1</li>
	<li>This search will exclude &quot;test1&quot; and &quot;test2&quot;: -test1 -test2</li>
</ul>
<p>&nbsp;<p>&nbsp;<p>[<a href="manual.html">manual index</a>] [<a href="http://loganalyzer.adiscon.com">LogAnalyzer site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://loganalyzer.adiscon.com">Adiscon LogAnalyzer</a> project.<br>
Copyright &copy; 2008-2011 by <a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.
<a href="http://loganalyzer.adiscon.com/commercial">Adiscon LogAnaylzer commercial licenses are also available.</a>
</font></p>
</body></html>