Skip to main content

Exabeam SearchExabeam Search Guide

Query Syntax

The following table shows the accepted logical statements and syntax for querying in Search. Search semantics applies a limited subset of Lucene.

Note

Operators such as AND, TO, NOT, and OR are case-sensitive and must be all upper-case.

Search Types

Operator Descriptions

Example Syntax

Empty String

Leave the search bar empty.

Leaving the search bar empty will query all logs, and return all results.

Literal Terms

Alpha-numeric text to search for. ""

"Web"

Look for log fields containing the text Web. This is case-insensitive. This will find records with the strings Web, Web-north, Web is cool.

Fields

Search by field values.

Search for any fields and values using one of the following methods:

  • Loose Keyword Match: subject:"Web" or subject="Web"

  • Exact Keyword Match: subject:"`Web`" or subject="`Web`"

  • Exact Full Match:subject=="Web"

For detailed information about field search syntax, see the following syntax tables: Generic Field Search Syntax and Field Search Syntax for Specific Data Types.

List of Values

Comma separated

(item 1, item2, ... ,itemN)

When doing a multi-value search, the values must be in parentheses.

user : ("joe", "jane")

or

user = ("joe", "jane")

subject : ("alert", "datastore")

or

subject = ("alert", "datastore")

Looks for the strings where the value of subject is in the set ("alert", "datastore")

This is equivalent to subject : "alert" OR subject : "datastore"

IP CIDR Notation

Query for a range of IP Addresses using CIDR notation.

src_ip: [192.0.0.1/28]

or

src_ip= [192.0.0.1/28]

Search within the range of IPs from 192.0.0.0 to 192.0.0.15

Timestamps

Use any of the following syntax options to look for specific timestamp ranges:

  • YYYY-MM-DDThh:mm:ss.sss TO YYYY-MM-DDThh:mm:ss.sss

  • YYYY-MM-DDThh:mm:ss.sss±hh:mm

  • Unix epoch milliseconds in UTC: SSS

Search does not support an exact match on time fields (only time ranges).

log_time: [2021-12-31T01:02:03.444 TO 2022-12-31T01:02:03.444]

ingest_time:[123456789000 TO 223456789000]

Range Search

TO

>

<

>=

<=

Range of values with lower and/or upper limits, expressed as numeric values.

field_name : low TO high

field_name : >low

field_name : <high

field_name : >=low

field_name : <=high

OR

field_name >= value

field_name <= value

field_name > value

field_name < value

field_name = value

num_pages: [10 TO 50]

Note

Ranges are inclusive. [10 TO 50] means 10 and 50 are included in the search results.

num_pages: >50

log_time: [2021-12-31T01:02:03.444 TO 2022-12-31T01:02:03.444]

flow_end_time: [123456789000 TO 223456789000]

Operators

Joining of two or more criteria:

  • AND—Both terms must exist

  • OR—either term may exist

user: "joe" AND host : "201.45.34.24"

Look for records with both joe and 201.45.34.24 in their respective fields.

user: "joe" OR country: "jane"

Look for records with either jane or joe in field user.

Negative Terms

NOT

Term must not exist.

user:"joe" AND NOT country:"US"

Look for records with joe but without US in their respective fields.

To ensure that a field query does not return null values, use the NOT<field>:null syntax:

user:"joe" AND NOT country:null

Grouping

( )

Multi-term search processed first by criterium set in parentheses.

Parentheses are supported for grouping expressions.

((subject: "user" OR subject: "app") AND product: "Windows")

subject: ("user", "app") AND product: "Windows"

((subject = "user" OR subject: "app") AND product = "Windows")

subject= ("user", "app") AND product= "Windows"

Look for records with a user or app in the subject field, that also has Windows in the product field.

Note

Limitations:

  • This does not work for a single expression. This syntax results in an error: (exa_category:"Web") AND network:"HTTP"

Regex

For complex search queries, use Regex (RGX) Operators.

Wildcards

The wildcard symbol, "*" is not allowed in search queries as a standalone expression, but could be used with Wildcard (WLD) Operators.