- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Free Text Search
Use a free text search when the data you are searching for is not located in a specific field. This search is performed against the raw log data.
By default, Search performs unstructured text searches. It looks for entries that contain any of your search terms. When no specific field is indicated, the search is performed across all fields being analyzed.
Note
Free text search can be very inefficient. Whenever possible, it's recommended to use parsed fields for searches, unless free text search is your only option.
When searching for a common term, a URL, or something with special characters, enclose your search term in backticks.
Search breaks tokens based on special characters. For example, a search for https://www.abc.com is broken into several tokens (http, abc, www, com), and the raw log is searched for all these terms separately, in no particular order. This method inefficient and costly in terms of performance and resources. It also may not yield the desired results.
Key points:
A free text search containing special characters that are not enclosed in double quotes is not supported.
You can mix free text search with field search expressions.
Regex expressions are supported within a free text query.
A query is broken up into terms and operators. There are two types of terms: Single Terms and Phrases.
A Single Term is a single word such as "test" or "hello".
A Phrase is a group of words surrounded by either straight single or straight double quotes such as "hello world". Be consistent with quote usage as a query with a single quote and a double quote will not return results.
Multiple terms can be combined with Boolean operators to form a more complex query.
Do not use string values with numeric characters.
Note
To search for a special character or quotes, these characters must be escaped with a back slash (\) character.
The following table provides examples of free text searches, including sample results of what this query might match:
Search by Field Name | Description | Sample Results |
|---|---|---|
| Loose keyword match that searches for log fields with the single-word text |
|
| Loose keyword match that searches for log fields with the single-word text |
|
| Searches for log fields with the text |
|
| Searches for log fields with the text |
|
| Search returns an error. A free text search containing special characters that are not enclosed in double quotes is not supported. | |
| Loose keyword match that searches for log fields with the multi-word text |
|
| Exact keyword match that searches for log fields with the multi-word literal string Must be double quoted with the search token bracketed with back ticks `. |
|
| Searches for log fields with text the |
|
| Search returns an error due to . being a reserved character. A free text search containing special characters that are not enclosed in double quotes is not supported. | |
| Wildcard syntax that searches the log field for any entries that contain the token with the regex |
|
| Searches for records that have a raw log that matches a regular expression. For more information, see Query Using Regex. | |
| Search for records that contain both web and application (not case-sensitive). |
|
| Searches for records with a combination of free-text and field-value syntax. | |
| To search for entries that contain double or single quotes, or a back tick character, use a back slash to escape these characters, \. To escape a back slash character that's part of a search term, use two back slashes. |