Query by Field and Value

You can search inside any field in the log for specific values. For example, you might want to search the logs for all events involving a specific dest_host.

Key points:

Queries can use the following syntax to search for specific fields and values:
- <field>:"<value>" or <field>="<value>"
- <field>:"`<value>`" or <field>="`<value>`"
- <field>=="<value>"
The entered query will be persisted if you save your search.
You can search a range within a field by using square brackets [ ] to indicate that the results are inclusive. Or you can use curly brackets { } to show that the results are exclusive.
You cannot use wildcards inside of phrases.

Note

As you enter your query, Search offers suggestions to choose from, for both fields and operators.

This feature applies to custom fields as well as common fields and allows you to enter your queries faster and with higher accuracy, catching errors before query execution.

Search also offers suggestions to choose from for possible subject, vendor, and products values.

The following sections illustrate examples of querying by field name:

Query by Field - Generic Syntax

This syntax is used when the data to be searched for is located in a specific field. Most syntax can be combined with each other to create more complex queries.

Note

In query syntax, : and = are interchangeable (field : value and field = value mean the same thing). We recommend that you move to using = exclusively.

Syntax	Description
`vendor = "Exabeam"` `vendor : "Exabeam"`	Keyword matching Search a field for entries that contain a specific keyword or combination of keywords. Different syntax is available to search for the following types of keyword matches: Loose keyword match - single word Loose keyword match - multiple words Exact keyword match - single word Exact full match For more details and specific syntax, see Query by Field - Data Type-Specific Syntax.
`subject = ("alert", datastore")` `subject : ("alert", datastore")`	Multi-value search Search for the strings where the value of the subject field is in the set ("alert", "datastore"). This is equivalent to `subject : "alert" OR subject : "datastore"` This syntax also works for a single value, `subject : ("alert")` Note Limitations: Multi-value search is not supported for Regex. This query results in an error: `vendor :("/Ap\w\w/","/Ex./","/Micr./")` This equivalent query works: vendor : "/Ap\w\w/"` OR vendor:"/Ex./" OR vendor:"/Micr./" Multi-value search is not supported with CIDR or IP range syntax (`[IP/subnet]` or `[IP TO IP]`).
`dest_port = null` `dest_port : null` `dest_port = NULL` `dest_port : NULL`	Null operator Search for rows where the `dest_port` is null (has no value). To search for rows where the field does have a value (is not null), add the `NOT` logical operator as in the following example: `NOT dest_port : null`
`NOT vendor = "Exabeam"` `NOT vendor : "Exabeam"`	NOT operator Search for events that do not have "Exabeam" as a vendor. The `NOT` operator can be used in combination with `AND` and `OR` operators. For example: `vendor :"Exabeam" AND NOT product :"Advanced Analytics"`.
`vendor = "Exabeam" AND Product = "Advanced Analytics"` `vendor : "Exabeam" AND Product : "Advanced Analytics"`	AND operator Search the subject field for any entries that contain the token "Exabeam" and the product field containing "Advanced Analytics". This syntax is case sensitive. Also supported are combinations with `OR` and `NOT`.
`subject = "alert" OR activity : "trigger"` `subject : "alert" OR activity : "trigger"`	OR operator Search for events where the subject field contains "alert" or the activity field contains "trigger". This syntax can be used for the same or different fields.
`((subject = "Web" OR Product = "Symantec") AND network = "HTTP")` `((subject : "Web" OR Product : "Symantec") AND network : "HTTP")`	Parentheses for grouping operations Search for any network HTTP events where the subject is "Web" or the product is "Symantec." This syntax is used to group phrases within a query.
`src_ip IN contextTableExample`	Context table lookup Checks if the field has a value that is listed in the context table. See Query by Context Table for more information.

Syntax

Description

vendor = "Exabeam"

vendor : "Exabeam"

Keyword matching

Search a field for entries that contain a specific keyword or combination of keywords. Different syntax is available to search for the following types of keyword matches:

Loose keyword match - single word
Loose keyword match - multiple words
Exact keyword match - single word
Exact full match

For more details and specific syntax, see Query by Field - Data Type-Specific Syntax.

subject = ("alert", datastore")

subject : ("alert", datastore")

Multi-value search

Search for the strings where the value of the subject field is in the set ("alert", "datastore").

This is equivalent to subject : "alert" OR subject : "datastore"

This syntax also works for a single value, subject : ("alert")

Note

Limitations:

Multi-value search is not supported for Regex.
- This query results in an error: vendor :("/Ap\w\w/","/Ex.*/","/Micr.*/")
- This equivalent query works: vendor : "/Ap\w\w/"` OR vendor:"/Ex.*/" OR vendor:"/Micr.*/"
Multi-value search is not supported with CIDR or IP range syntax ([IP/subnet] or [IP TO IP]).

dest_port = null

dest_port : null

dest_port = NULL

dest_port : NULL

Null operator

Search for rows where the dest_port is null (has no value).

To search for rows where the field does have a value (is not null), add the NOT logical operator as in the following example: NOT dest_port : null

NOT vendor = "Exabeam"

NOT vendor : "Exabeam"

NOT operator

Search for events that do not have "Exabeam" as a vendor.

The NOT operator can be used in combination with AND and OR operators. For example: vendor :"Exabeam" AND NOT product :"Advanced Analytics".

vendor = "Exabeam" AND Product = "Advanced Analytics"

vendor : "Exabeam" AND Product : "Advanced Analytics"

AND operator

Search the subject field for any entries that contain the token "Exabeam" and the product field containing "Advanced Analytics".

This syntax is case sensitive.

Also supported are combinations with OR and NOT.

subject = "alert" OR activity : "trigger"

subject : "alert" OR activity : "trigger"

OR operator

Search for events where the subject field contains "alert" or the activity field contains "trigger".

This syntax can be used for the same or different fields.

((subject = "Web" OR Product = "Symantec") AND network = "HTTP")

((subject : "Web" OR Product : "Symantec") AND network : "HTTP")

Parentheses for grouping operations

Search for any network HTTP events where the subject is "Web" or the product is "Symantec."

This syntax is used to group phrases within a query.

src_ip IN contextTableExample

Context table lookup

Checks if the field has a value that is listed in the context table.

See Query by Context Table for more information.

Table 1. Query by Field Name - Generic Syntax

Query by Field - Data Type-Specific Syntax

The syntax for your search will vary depending on the data type of the field (string, email, ipv4/ipv6, number, Boolean, datetime, array, etc.).

Data Type	Syntax	Description
`string` or string like types For example: `email`, `ipv4/ipv6, hexadecimal`	`subject = "Web"` `subject : "Web"`	Loose Keyword Match (single word) Search the subject field for any records that contain the token/word Web. This syntax is not case-insensitive and does not find substrings of words. For example, “Webs” would not be a match. Possible Results: Web, weB
`product:"web application"` `username="first_name"` `username:"first-name"`	Loose Keyword Match (multiple words) Search the product field for records that contain both of the words `web` and `application`. This syntax is not case-insensitive and does not find substrings of words. Note In a loose keyword match, some special characters allow multiple words to be treated as a single token and others do not. For example: These are treated as a single token: `username="first-name"`, `username=first_name` These are treated as separate tokens: `username="first name"`, `username="first.name"`, `username="first@name"` To ensure that multiple words with a special character are treated as a single token, use the Exact Keyword Match. Possible Results: application for web search, WEB like Application, First Name, name-of-the-month-first
product="`web application`" product:"`web application`"	Exact Keyword Match Search the product field for records that contain the literal string `web application`. This syntax is case-sensitive. Note The search token is bracketed with back tick characters `. Possible Results: web application, web application user, new web application
`product=="web application"`	Exact Full Match Search the product field for records that contain only the literal string `web application`. This syntax is case-sensitive. Possible Results: web application
`subject="Wb"` `subject:"Wb"`	Optional Multi-character Wildcard Wildcard syntax searches the subject field for any entries that contain the token with the regex `W*b`. This syntax is not case-sensitive.
`subject="W?b"` `subject:"W?b"`	Single-character Wildcard Wildcard syntax searches the subject field for any entries that contain the token with the regex `W?b`. This syntax is not case-sensitive.
`subject=RGX("regex")` `subject:RGX("regex")`	Regular Expression For details see Query Using Regex.
`subject: " \"my system\" "` `subject= " \'my system\' "` subject= " \`my system\` " `subject: "my \\ system"`	Escaping Character To search for entries that contain double or single quotes, or a back tick character, use a back slash to escape these characters, \. Note To escape a back slash character that's part of a search term, use two back slashes.
file_path="`C:\\Windows\\system`" `file_path:"C:\\Windows\\system"`	File Path Back slash characters, \, need to be escaped with a back slash, \. Note The search string cannot start with a front slash / character.

`Boolean`	`parsed=true` `parsed=false` `parsed:TRUE` `parsed:FALSE`	Search for exact Boolean matches.
`number`	`bytes_in = 1000` `bytes_in:1000`	Search for the row where `bytes_in` = 1000.
`bytes_in =1000.999` `bytes_in:1000.999`	Search for the row where `bytes_in` = 1000.999.
`bytes_in: >1000` `bytes_in >1000`	Search for the row where `bytes_in` > 1000.
`bytes_in: <1000` `bytes_in <1000`	Search for the row where `bytes_in` < 1000.
`bytes_in: >=1000` `bytes_in >=1000`	Search for the row where `bytes_in` >= 1000.
`bytes_in: <=1000` `bytes_in <=1000`	Search for the row where `bytes_in` <= 1000.
`count:[1 TO 5]` `count >= 1 AND count <=5`	Search for the rows where 1 <= `count` <= 5.
`count:[1 TO *]` `count >=1`	Search for the rows where 1 <= `count`.
`count:[* TO 5]` `count <=5`	Search for the rows where `count` <= 5.
`count:{1 TO 5}` `count >=1 AND count <=5`	Search for the rows where 1 <= `count` <= 5
`ipv4/ipv6`	`src_ip= [192.168.1.0 TO 192.168.3.255]` `src_ip: [192.168.1.0 TO 192.168.3.255]`	Search by range of IPs (inclusive). Note Limitations: Only supported for IPv4 The first IP must be smaller than the second IP
`src_ip= [192.168.1.1/28]` `src_ip: [192.168.1.1/28]`	Search a range of IPs by CIDR notation (bit mask). Examples: `src_ip: [192.168.1.1/8]` searches in the range of 192.0.0.0 to 192.255.255.255 `src_ip: [192.168.1.1/16]` searches in the range of 192.168.0.0 to 192.168.255.255 `src_ip: [192.168.1.1/24]` searches in the range of 192.168.1.0 to 192.168.1.255 `src_ip: [192.168.1.1/28]` searches in the range of 192.168.1.0 to 192.168.1.15 Note Limitations: Only supported for IPv4
`datetime`	`ingest_time=[2023-05-16T08:57:01.567Z TO 2023-05-17T12:57:01.567Z])` `ingest_time:[2023-05-16T08:57:01.567Z TO 2023-05-17T12:57:01.567Z])`	Search a time range (inclusive) Examples: Unix epoch milliseconds in UTC: `ingest_time:[123456789000 TO 987654321000])` YYYY-MM-DDThh:mm:ss.sss with no explicit time zone - treated as UTC: `ingest_time:[2023-05-16T08:57:01.567 TO 2023-05-17T12:57:01.567]` YYYY-MM-DDThh:mm:ss.sssZ - treated as UTC: `ingest_time:[2023-05-16T08:57:01.567Z TO 2023-05-17T12:57:01.567Z])` YYYY-MM-DDThh:mm:ss.sss±hh:mm with explicit time zone offset `ingest_time:[2023-05-16T08:57:01.567-07:00 TO 2023-05-17T12:57:01.567-07:00])`

Data Type

Syntax

Description

string or string like types

For example: email, ipv4/ipv6, hexadecimal

subject = "Web"

subject : "Web"

Loose Keyword Match (single word)

Search the subject field for any records that contain the token/word Web.

This syntax is not case-insensitive and does not find substrings of words. For example, “Webs” would not be a match.

Possible Results: Web, weB

product:"web application"

username="first_name"

username:"first-name"

Loose Keyword Match (multiple words)

Search the product field for records that contain both of the words web and application.

This syntax is not case-insensitive and does not find substrings of words.

Note

In a loose keyword match, some special characters allow multiple words to be treated as a single token and others do not. For example:

These are treated as a single token: username="first-name", username=first_name
These are treated as separate tokens: username="first name", username="first.name", username="first@name"

To ensure that multiple words with a special character are treated as a single token, use the Exact Keyword Match.

Possible Results: application for web search, WEB like Application, First Name, name-of-the-month-first

product="`web application`"

product:"`web application`"

Exact Keyword Match

Search the product field for records that contain the literal string web application.

This syntax is case-sensitive.

Note

The search token is bracketed with back tick characters `.

Possible Results: web application, web application user, new web application

product=="web application"

Exact Full Match

Search the product field for records that contain only the literal string web application.

This syntax is case-sensitive.

Possible Results: web application

subject="W*b"

subject:"W*b"

Optional Multi-character Wildcard

Wildcard syntax searches the subject field for any entries that contain the token with the regex W*b.

This syntax is not case-sensitive.

subject="W?b"

subject:"W?b"

Single-character Wildcard

Wildcard syntax searches the subject field for any entries that contain the token with the regex W?b.

This syntax is not case-sensitive.

subject=RGX("regex")

subject:RGX("regex")

Regular Expression

For details see Query Using Regex.

subject: " \"my system\" "

subject= " \'my system\' "

subject= " \`my system\` "

subject: "my \\ system"

Escaping Character

To search for entries that contain double or single quotes, or a back tick character, use a back slash to escape these characters, \.

Note

To escape a back slash character that's part of a search term, use two back slashes.

file_path="`C:\\Windows\\system`"

file_path:"C:\\Windows\\system"

File Path

Back slash characters, \, need to be escaped with a back slash, \.

Note

The search string cannot start with a front slash / character.

Boolean

parsed=true

parsed=false

parsed:TRUE

parsed:FALSE

Search for exact Boolean matches.

number

bytes_in = 1000

bytes_in:1000

Search for the row where bytes_in = 1000.

bytes_in =1000.999

bytes_in:1000.999

Search for the row where bytes_in = 1000.999.

bytes_in: >1000

bytes_in >1000

Search for the row where bytes_in > 1000.

bytes_in: <1000

bytes_in <1000

Search for the row where bytes_in < 1000.

bytes_in: >=1000

bytes_in >=1000

Search for the row where bytes_in >= 1000.

bytes_in: <=1000

bytes_in <=1000

Search for the row where bytes_in <= 1000.

count:[1 TO 5]

count >= 1 AND count <=5

Search for the rows where 1 <= count <= 5.

count:[1 TO *]

count >=1

Search for the rows where 1 <= count.

count:[* TO 5]

count <=5

Search for the rows where count <= 5.

count:{1 TO 5}

count >=1 AND count <=5

Search for the rows where 1 <= count <= 5

ipv4/ipv6

src_ip= [192.168.1.0 TO 192.168.3.255]

src_ip: [192.168.1.0 TO 192.168.3.255]

Search by range of IPs (inclusive).

Note

Limitations:

Only supported for IPv4
The first IP must be smaller than the second IP

src_ip= [192.168.1.1/28]

src_ip: [192.168.1.1/28]

Search a range of IPs by CIDR notation (bit mask).

Examples:

src_ip: [192.168.1.1/8] searches in the range of 192.0.0.0 to 192.255.255.255
src_ip: [192.168.1.1/16] searches in the range of 192.168.0.0 to 192.168.255.255
src_ip: [192.168.1.1/24] searches in the range of 192.168.1.0 to 192.168.1.255
src_ip: [192.168.1.1/28] searches in the range of 192.168.1.0 to 192.168.1.15

Note

Limitations:

Only supported for IPv4

datetime

ingest_time=[2023-05-16T08:57:01.567Z TO 2023-05-17T12:57:01.567Z])

ingest_time:[2023-05-16T08:57:01.567Z TO 2023-05-17T12:57:01.567Z])

Search a time range (inclusive)

Examples:

Unix epoch milliseconds in UTC:
ingest_time:[123456789000 TO 987654321000])
YYYY-MM-DDThh:mm:ss.sss with no explicit time zone - treated as UTC:
ingest_time:[2023-05-16T08:57:01.567 TO 2023-05-17T12:57:01.567]
YYYY-MM-DDThh:mm:ss.sssZ - treated as UTC:
ingest_time:[2023-05-16T08:57:01.567Z TO 2023-05-17T12:57:01.567Z])
YYYY-MM-DDThh:mm:ss.sss±hh:mm with explicit time zone offset
ingest_time:[2023-05-16T08:57:01.567-07:00 TO 2023-05-17T12:57:01.567-07:00])

Table 2. Query by Field Name - Data Type Specific Syntax

Exabeam SearchExabeam Search Guide

Table of ContentsTable of Contents