Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Search Query

Sections
  1. Search ‘query’ parameter
  2. Usage
  3. Examples

Search ‘query’ parameter

The “query” parameter consists of one or more search expressions and the boolean operators and, or and not:

Example:

  search {options} expression1 and expression2 not expression3 ... expressionN

Usage

The following expressions are supported:

  • sContent(field, value) 
    search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn")
  • sContains(field, value) 
    search {from="-3d@d",to="@d"} sContains("@event_type","Sign")
  • sStartswith(field, value) 
    search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure")
  • sEndswith(field, value) 
    search {from="-3d@d",to="@d"} sEndswith("@event_type","SignIn")
  • sRange(field, from, to) 
    search sRange("__size__","1","800")
  • sRegexp(field, field, value) 
    search sRegexp("@fields.isprime","y.*")
  • sEntityinfo(field, entityname) 
    search sEntityinfo("@fields.EventID","AD_EventID")

  • sIsnull(field): If all the elements of this field are null or empty, return “true”.

  • sWildcard(field): only keep the non-empty elements of a field

All content search functions start with “s” has two modes: when used in a “search” pipe, the expected field name must be a field name in full path. Otherwise the field argument must be variable (see sContent for examples).

Examples

The follow are some commonly used queries:

Page last updated: 2022 Oct 18