You can use the list of existing fields to search log events with specific values for a field.


Log Insight indexes complete, alphanumeric, hyphen, and underscore characters.

Verify that you are logged in to the Log Insight Web user interface. The URL format is https://log_insight-host, where log_insight-host is the IP address or host name of the Log Insight virtual appliance.


Navigate to the Interactive Analytics tab.


Click Add Constraint.


In the constraint row under the search text box, use the first drop-down menu to select any field defined within Log Insight.

For example, hostname.

The list contains all defined fields that are available statically, in content packs, and in custom content. Fields are sorted by name, except for the text field. Because text is a special field that refers to the message text, text appears at the top of the list, and is selected by default.


Numeric fields contain additional operators that string fields do not: =, >, <, >=, <=. These operators perform numeric comparisons and using them yields different results than using string operators. For example, the constraint response_time = 02 will match an event that contains a response_time field with a value 2. The constraint response_time contains 02 will not have the same match.


In the constraint row under the search text box, use the second drop-down menu to select the operation to apply to the field selected in the first drop-down menu.

For example, select contains. The contains constraint matches full tokens: searching for "err" will not find "error" as a match.


In the text box to the right of the constraint drop-down menu, type the value that you want to use as a filter.

You can list multiple values separated by comma. The operator between these values is OR.


The text box is not available if you select the exists operator in the second drop-down menu.


(Optional) To add more constraints, click Add Constraint.

A toggle button appears above the constraint rows.


(Optional) For multiple constraint rows, select the operator between constraints.




Select to apply the AND operation between constraint rows


Select to apply the OR operation between constraint rows

By default, all is selected.


Click Search.

Assume that you have several hosts that have a host with the following name: w1-stvc-205-prod3, and another host that is called w1-stvc-206-prod5.

To find all logs for both hosts, create the following query.


1. Leave the search text box empty.


Define the constraint.


Select hostname from the field drop-down menu.


Select starts with from the operator drop-down menu.


Type w1-stvc in the value text box.

Alternatively, you can use the contains operator, but then you must use a glob in the search value. In this example, you must type w1-stvc-* in the value text box.


Click Search.

You can save the current query to load it at a later stage.