Current view: XpoLog V7 (Latest). Available: XpoLog V6 and XpoLog V5

Skip to end of metadata
Go to start of metadata

XpoSearch enables you to retrieve specific events from indexed event logs, by creating a search query using the XpoSearch search syntax, and then running the search. This is an extremely useful tool for investigating the cause of problems in your system. Also, you can limit any search to events that occurred during a specific time period. 

Selecting the Search Time Period

Time plays a very important role in the examination of the cause of a system problem.

Although you can run a search on events that occurred at any time, this wastes system resources, and usually results in an overwhelming number of events that are difficult for you to manage and analyze.

Therefore, XpoSearch enables you to run a search on a specific time period, so that you can narrow your results, and facilitate determining the root cause of the problem. You can select a predefined time period, or customize the time period by selecting the start and end dates and times of the time period.

 

To select the time period of the search:
  1. In the Search Query Panel, in the Search Time Range textbox, click the down arrow.

    A list of selectable time periods opens.

  2. From the list of time periods, select a predefined time period (All Time (all times in  the log), Last 15 Minutes, Last 30 Minutes, Last 60 MinutesLast 3 Hours, Last 12 Hours, Last 24 Hours, Last 7 Days, Last 14 Days, Last 1 Month, Last 3 Months, Last WeekThis WeekYesterday, or Today), or select Custom to specify your own time period (see Customizing the Search Time Period for a detailed explanation on customizing the time period). 

    T
    he selected time period is displayed in the textbox, and the search runs on this time period.

Creating a Search Query

You can create a search query using the search syntax supplied by XpoLog for simple searches:

  • Simple terms search
  • Boolean search
  • Search with wildcards
  • Comparison search
  • Search in a specific log, folder, application, or server
  • Activate a saved search by its name

Searching for Simple Terms

The simplest type of search is one that searches for terms in your log events. This includes the following:

  • Searching for a single word that appears anywhere in the event.
    Example: Typing error searches for all events containing the word error.
  • Searching for two or more words that appear in an event, exactly in the order that you typed them.
    Example: Typing error log only searches for events having the words error and log adjacent to each other in the event.
  • Searching for keywords in an event – by enclosing the words in quotes. These keywords can be Boolean operators or saved words.  
    Example: If you want to search for the word NOT in an event, and do not want it to be misinterpreted as the Boolean operator NOT, you should enclose it in quotes: "NOT".

XpoSearch also provides the autocomplete feature. As you type the search query, a dropdown list of other search queries that you have created in the past and that begin with these characters is displayed, as relevant. If one of these search queries is the one that you want to run, you can simply select it instead of retyping the entire search query.

Boolean Search

XpoLog provides three Boolean operators for your use: OR, AND, NOT, evaluated in a search query in that order. These operators must be capitalized. It is also possible to change the default order of precedence, by enclosing in parenthesis the part of the search term that you want to perform first.

Example: Searching for end process OR start process returns all events containing either the phrase end process or the phrase start process

Note: If you want to search in an event for any words that are the same as Boolean operators, you should enclose them in quotes, so that they are not misunderstood for the Boolean operator.

Searching with Wildcards

XpoSearch provides two wildcards:

  • ? – used in a search term to represent a single alphanumeric character.
    Example: Typing http ?00 retuns http 100, http 200, ...,and http 900. It does not return http 2000, as the ? only replaces a single character.
     
  • * – used in a search term to represent zero to any number of any alphanumeric characters. A search term which only includes an * returns all events, up to the maximum allowed by the system.
    Example: Typing http  *00 returns all events beginning with http  and ending with 00, such as http 300, http 3000, and http 500.  

Searching in a Specific Log/Folder/AppTag/Server

XpoSearch enables searching events in all event logs of the system, regardless of their source, or only in event logs that come from a specific source, as follows:

  • Log – a specific log
  • Folder – logs in a specific folder 
  • AppTag – logs of a specific application
  • Server – logs from a specific server

Examples:

  1. Running a search for error in log.my_log returns events only from the log named my_log that include the word error, regardless of where this log resides.
  2. Running a search for error in log.X in folder.Y returns events only from event log X that resides in folder Y
  3. Running a search for error in log.X, log.Y returns events from event log X and event log Y, regardless of where they reside. 

Column-based Search

You can run a column-based search on event data, to extract only those events which have a specific column that meets the comparison criteria. This is done by creating a search that compares a specific column to a specific value, using the comparison operators defined in the following table.

 

OperatorDefinition
=  

Equals

column_name = x returns all events with column_name value exactly equal to x.

!= 

Not equals

column_name != x returns all events with column_name value not equal to x.

 

Greater than; for numerical fields only

column_name > x returns all events with column_name value greater than x.

<

Less than; for numerical fields only

column_name < x returns all events with column_name value less than x.

 contains

Used for checking if a column contains a specific value

column_name contains x returns all events that contain in column_name the value x.

 NULL

Used to find empty or populated columns

column_name = NULL returns all events that have no value in column_name

column_namereturns all events that have a value in column_name. 

 NOT

Used to exclude events that have a specific value in a specific column 

NOT (column_name contains error) returns all events that do not have error in column_name.

Example: Typing Priority !=  Error returns all events that do not have the value Error in the Priority column.

Regular Expression Search

XpoLog enables you to search in events for values represented by a regular expression that you specify.

Example: Typing regexp:\d+ in log.access searches for numbers in events. 

Searching Special Chars in a Search

XpoLog enables you to search special characters in the search:

  • Wrap the searched term with "quotes"
  • Use backslash (\) before a specific char to be treated as textual value to be searched

Example: If the message contains a special char like {} it can be searched by \{\} in log.LOG_NAME

Activating a Saved Search

XpoLog enables you to save any search query so that you can easily run it at a later time. You can either activate the saved search by selecting its name from a list of saved searches (see  Running a Saved Search) or you can type search.search_name in the search query to run the saved search called search_name

Example: Typing search.error_search activates the saved search named error_search.

 

 

 

  • No labels