- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Query by Context Table
You can search inside any field and compare the values to values in up to two context tables. For example, you might want to search the logs for events involving vendors that match to any vendor listed in one or two specific context tables. You can search for those values in any single column from each context table. If you don't specify a column, the search defaults to looking for values in the key column of the context table.
Note
See Context Tables in Search for more information, including rules and limitations.
Examples of valid query syntax:
fieldName IN "nameofcontexttable"."nameofcolumn
fieldName IN "nameofcontexttable"
fieldName IN "nameofcontexttable1"."nameofcolumn" AND fieldName IN "nameofcontexttable2"."nameofcolumnintable2"
fieldName IN "nameofcontexttable1" AND fieldName IN "nameofcontexttable2"
fieldName : "value" AND fieldName IN "nameofcontexttable"."nameofcolumn"
fieldName : "value" AND fieldName IN "nameofcontexttable1" AND fieldName IN "nameofcontexttable2"."nameofcolumnintable2"
(fieldName1 : "value1" OR fieldName2 : "value2") AND fieldName IN "nameofcontexttable"."nameofcolumn"
(fieldName1 : "value1" OR fieldName2 : "value2) AND (fieldName3: "value3" OR fieldName4 : "value4) AND fieldName IN "nameofcontexttable"."nameofcolumn"
(fieldName1 : "value1" OR fieldName2 : "value2") AND (fieldName3 : "value3" OR fieldName4 : "value4") AND NOT fieldName IN :nameofcontexttable"."nameofcolumn"
(fieldName1 : "value1" OR fieldName2 : "value2") AND NOT (fieldName3 : "value3" OR fieldName4 : "value4") AND fieldName IN "nameofcontexttable"."nameofcolumn"
Examples of invalid query syntax:
(fieldName1 : "example1" AND fieldName2 : "example2") OR fieldName IN "nameofcontexttable"."nameofcolumn"
Note
The OR operator is not allowed with a context table.