Data LakeData Lake Migration Guide

Single Term

Search for a single word

enclose in " "

Ex. "cloud"

enclose in " "

Ex. "cloud"

Phrase

Search for multiple words

enclose in " "

Ex. "security alerts"

enclose in " "

Ex. "log always"

Boolean Operators

Use to combine or contrast

AND, OR, NOT, +, -

AND, AND NOT, NOT, OR

Value in a Field

Search for a value in a field - not case-sensitive

field:value

Ex. Vendor:Exabeam

field:"value" OR field="value"

String Ex. vendor:"Exabeam"

Integer Ex. dest_port:53

Case-sensitive Value in a Field

Search for a case-sensitive value in a field

field:value

Ex. Vendor:Exabeam

field:"'value'" OR field="'value'"

Exact Match Value in a Field

Search for an exact value in a field

field:value

Ex. Vendor:Exabeam

field=="value"

List of Values

Search for multiple values in a field

field:(value OR value)

Ex. user:(user1 OR user2)

field:("value","value") OR field=("value","value")

Ex. user:("user1,"user2")

Range of Values

Search for a range of values in a field

Range operators include: TO, >, <, >=, <=

inclusive: field:[1 TO 10]

exclusive: field:{1 TO 10}

Ex. num_pages:[1 TO 10]

inclusive: field:[1 TO 10]

exclusive: field:{1 TO 10}

Ex. num_pages:[1 TO 10]

IP CIDR Notation

Query a rang of IP addresses using CIDR

Ex. src_ip:[192.0.0.1/28]

Ex. src_ip:[192.0.0.1/28] OR src_ip=[192.0.0.1/28]

Field Existence

Determine if a field is present or

Determine if a field is not present

_exists_:field

!_exists_:field

Ex. _exists_:Vendor

NOT field:null

field:null

Ex. NOT vendor:null

Keyword Fields

Search for exact matches using the .keyword that corresponds to a field

Ex. user.keyword:"admin"

Not applicable because fields are stored natively by their data type.

Tokenized Fields

Search for fields used in the UI as substitutes for sensitive data

Ex. user.keyword: *string

Not required in Search.

Metadata Fields

Search for fields added to an event that are not part of the raw data

prefixed with exa_

Ex. exa_device_type:application

prefixed with m_

Ex. m_forwarder:"10.10.10.1"

Custom Fields

Search for fields created by the user

no specific marking for custom fields

prefixed with c_

Ex. c_host_id:"HOST95"

Conditions

Group conditions in ( ) and join by AND/OR operators

user:(joe OR jane)

subject:("user,"app") AND product:"Windows"

Logic Operators

Operators than can be used in logic statements

AND, OR, NOT, !, -

AND, OR, AND NOT, NOT, or leave blank for an empty string

Wildcards

Symbols that represent one or more characters

* represents any number of characters

? represents a single character

* represents any number of characters

? represents a single character

Wildcards cannot be used in stand alone expressions.

Special Characters

Characters that have a specific use in search syntax but need to be included in a search, including:

+ - &amp; || ! ( ) { } [ ] ^ " ~ * ? : _

escape these characters by prefixing with \

Ex. string: user:"jo+"

Query: user:"jo\+"

escape these characters by prefixing with \

Ex string: destination="host1"

Query: "destination=\"host1\"

Regular Expressions

REGEX patterns can be included in search queries. For detailed REGEX search information, see Query Using Regex.

enclose in / /

Ex: user:/[^0-9A-Za-z_]/

enclose in / / inside of " "

Ex: user:"/[^0-9A-Za-z_]/"

A specific parser by name

exa_parser_name:"raw-4625"

msg_type:"microsoft-evsecurity-kv-endpoint-login-fail-4625-2"

All parsed logs

_exists_:exa_parser_name

parsed:TRUE

Any unparsed logs

!_exists_:exa_parser_name

parsed:FALSE

@timestamp

approxLogTime

Default time the raw log was parsed.

indexTime

ingest_time

Time the parser or enricher processed the log message for indexing.

exa_adjustedEventTime

time

Time derived from the event itself with adjustments, such as time zone, if this information is present in the log and has been parsed.

exa_rawEventTime

raw_log_time

Non-adjusted time derived from the log message itself. If not present in the log, defaults to the time the log message was processed for indexing. (indexTime or ingest_time)