tyler.durden/loganalyzer
1
0
Fork 0
mirror of https://github.com/rsyslog/loganalyzer.git synced 2025-09-10 03:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
loganalyzer/doc/searching.html
Rainer Gerhards 84cac3e7e3 added general doc and search description doc 
the search doc was actually done by Andre, I am just commiting it
2008-10-01 16:48:30 +02:00

97 lines
5.2 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<title>phpLogCon Search Syntax</title>
</head>
<body>
<h1>phpLogCon Search Syntax</h1>
<p>This document describes how you can search in phpLogCon. Please note that
you can also always use the "advanced search" dialog to build the search string.
<p>A search term is always in the format "property:search" where property is the
data item you will search (for example the syslog tag, source system).
Available properties depend on the data source in use, parsers present,
and even the actual data. What usually is available is listed below. Please note that there
is a special case. Because it is so common to search inside the message text itself,
there is no property name for this - to perform this search, simply omit the
"property:" part.
<p>In phpLogCon we basically have two different types of data types which
are handled different from each other, these are: string and number. There is
also a date type filter and the message field, but these are handled separately
from the others fields. Every filter usually is delimited by spaces, and filters
from different fields are combined by AND.
<h3>String Fields</h3>
<p>For the string type fields, you can search for partially or full string
matches. Searching for full string matches can improve performance in your
logstream. If you have spaces in your search string, you need to replace them
with a + character, the reason is simple, because the space character splits the
filters. If you want to search for a single + sign, you need to replace it with
a double +, so + becomes ++ in your search string. To separate multiple search
values for the same fieldtype, you just need to separate them commas - but
remember, no spaces!
<p>String filters can be included in your search as well as excluded. All
included filter of a field type will be combined by OR which means if you search
for &quot;Search1&quot; and &quot;Search2&quot;, you will results matching both strings. This is
different if you exclude strings from your search. Excluded filters from a field
type will be combined with AND for the simple reason, if you want to exclude
&quot;Search1&quot; and &quot;Search2&quot;, you want that both are excluded, and one or the other.
<p>Below you will see how the syntax looks like:<ul>
<li>Search for a partially string match: property:search</li>
<li>Search for multiple partially string matches: property:search1,search2</li>
<li>Search for a full string match: property:=search1,search2</li>
<li>Search for multiple full string matches: property:=search</li>
<li>Exclude by a partially string match: property:-search</li>
<li>Exclude multiple partially string matches: property:-search1,-search2</li>
<li>Exclude by a full string match: property:-=search</li>
<li>Exclude multiple full string matches: property:-=search1,-=search2</li>
</ul>
<p>&nbsp;<h3>Number Fields</h3>
<p>Number fields work similar to string fields, except that there are partially
matches, and the search value obviously must be a number. There are a few
exceptions where you can use string representations instead of numbers, but
these will be explained later.
<p>Below you will see how the syntax looks like:<ul>
<li>Search for a number: property:1234</li>
<li>Search for multiple numbers: property:1234,5678</li>
<li>Exclude a number from the search: property:-1234</li>
<li>Exclude multiple numbers from the search: property:-1234,-5678</li>
</ul>
<p>&nbsp;</p>
<h3>Date Field</h3>
<p>There is currently only one date field possible, and so we have two different
kinds of date filters we can use on this date field. The first option is to
search for a time range where you need to use the datefrom and dateto
properties. The date/time format has to be ISO TIMESTAMP (see RFC 3339 for more)
for both properties. The other option is datelastx which will filter for the
last hour (filter value 1), last 12 hours (filter value 2), last 24 hours
(filter value 3), last 7 days (filter value 4) and last 31 days (filter value
5). </p>
<ul>
<li>This search will filter for events starting at 2007-10-01 and ending at
2008-10-01: datefrom:2007-10-1T00:00:00 dateto:2008-10-1T23:59:59</li>
<li>This search will show events from the last 24 hours: datelastx:3</li>
</ul>
<p>&nbsp;</p>
<h3>Message Field</h3>
<p>The message field is a string type field and does not require the use of a
property. You can have include and exclude filters here as well. The main
difference to ordinary string filters is, that include filters are combined with
AND instead of OR. </p>
<ul>
<li>This search will include &quot;test1&quot;: test1</li>
<li>This search will include &quot;test1&quot; and &quot;test2&quot;: test1 test2</li>
<li>This search will exclude &quot;test1&quot;: -test1</li>
<li>This search will exclude &quot;test1&quot; and &quot;test2&quot;: -test1 -test2</li>
</ul>
<p>&nbsp;<p>&nbsp;<p>[<a href="manual.html">manual index</a>] [<a href="http://www.phplogcon.com/">phpLogCon site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.phplogcon.com/">phpLogCon</a>
project.<br>
Copyright &copy; 2008 by
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body></html>
Reference in New Issue View Git Blame Copy Permalink