Search Query
Sections
Search ‘query’ parameter
The “query” parameter consists of one or more search expressions and the boolean operators and, or and not:
Example:
search {options} expression1 and expression2 not expression3 ... expressionN
Usage
The following expressions are supported:
- sContent(field, value)
search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn") - sContains(field, value)
search {from="-3d@d",to="@d"} sContains("@event_type","Sign") - sStartswith(field, value)
search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure") - sEndswith(field, value)
search {from="-3d@d",to="@d"} sEndswith("@event_type","SignIn") - sRange(field, from, to)
search sRange("__size__","1","800") - sRegexp(field, field, value)
search sRegexp("@fields.isprime","y.*") - sEntityinfo(field, entityname)
search sEntityinfo("@fields.EventID","AD_EventID") -
sIsnull(field): If all the elements of this field are null or empty, return “true”.
- sWildcard(field): only keep the non-empty elements of a field
All content search functions start with “s” has two modes: when used in a “search” pipe, the expected field name must be a field name in full path. Otherwise the field argument must be variable (see sContent for examples).
Examples
The follow are some commonly used queries:
Page last updated: 2022 Nov 01 09:30:22 EDT