You can use the list of existing fields to search log events with specific values for a field.

Important

Log Insight indexes complete, alphanumeric, hyphen, and underscore characters.

Verify that you are logged in to the Log Insight Web user interface. The URL format is https://log_insight-host, where log_insight-host is the IP address or host name of the Log Insight virtual appliance.

1

Navigate to the Interactive Analytics tab.

2

Click Add Filter.

3

In the filter row under the search text box, use the first drop-down menu to select any field defined within Log Insight.

For example, hostname.

The list contains all defined fields that are available statically, in content packs, and in custom content. Fields are sorted by name, except for the text field. Because text is a special field that refers to the message text, text appears at the top of the list, and is selected by default.

Note

Numeric fields contain additional operators that string fields do not: =, >, <, >=, <=. These operators perform numeric comparisons and using them yields different results than using string operators. For example, the filter response_time = 02 will match an event that contains a response_time field with a value 2. The filter response_time contains 02 will not have the same match.

4

In the filter row under the search text box, use the second drop-down menu to select the operation to apply to the field selected in the first drop-down menu.

For example, select contains. The contains filter matches full tokens: searching for "err" will not find "error" as a match.

5

In the text box to the right of the filter drop-down menu, type the value that you want to use as a filter.

You can list multiple values separated by comma. The operator between these values is OR.

Note

The text box is not available if you select the exists operator in the second drop-down menu.

6

(Optional) To add more filters, click Add Filter.

A toggle button appears above the filter rows.

7

(Optional) For multiple filter rows, select the operator between filters.

Option

Description

all

Select to apply the AND operation between filter rows

any

Select to apply the OR operation between filter rows

By default, all is selected.

8

Click the Search button.

Assume that you have several hosts that have a host with the following name: w1-stvc-205-prod3, and another host that is called w1-stvc-206-prod5.

To find all logs for both hosts, create the following query.

1

1. Leave the search text box empty.

2

Define the filter.

a

Select hostname from the field drop-down menu.

b

Select starts with from the operator drop-down menu.

c

Type w1-stvc in the value text box.

Alternatively, you can use the contains operator, but then you must use a glob in the search value. In this example, you must type w1-stvc-* in the value text box.

3

Click the Search button.

You can save the current query to load it at a later stage.