Skip to main content

Exabeam SearchExabeam Search Guide

Table of ContentsTable of Contents

Query Syntax

The following table shows the accepted logical statements and syntax for querying in Search. Search semantics applies a limited subset of Lucene.

Note

Note that AND, TO, NOT, and OR are case-sensitive operators (i.e. all upper-case only).

Search Types	Operator Descriptions	Example Syntax
Empty String	Leave the search bar empty.	Leaving the search bar empty will query all logs, and return all results.
Literal Terms	Alpha-numeric text to search for. ""	`"Web"` Look for log fields containing the text Web. This is case-insensitive. This will find records with the strings `Web`, `Web-north`, `Web is cool`.
Fields	Data type or category name (i.e. key within [key,value] of structured data).	Search for any fields and values using one of the following methods: Loose Keyword Match: `subject:"Web"` or `subject="Web"` Exact Keyword Match: subject:"`Web`" or subject="`Web`" Exact Full Match:`subject=="Web"` For detailed information about field search syntax, see the following syntax tables: Generic Field Search Syntax and Field Search Syntax for Specific Data Types.
List of Values	Comma separated (item 1, item2, ... ,itemN)	When doing a multi-value search, the values must be in parentheses. `user : ("joe", "jane")` or `user = ("joe", "jane")` `subject : ("alert", "datastore")` or `subject = ("alert", "datastore")` Looks for the strings where the value of subject is in the set ("alert", "datastore") This is equivalent to `subject : "alert" OR subject : "datastore"`
IP CIDR Notation	Query for a range of IP Addresses using CIDR notation.	`src_ip: [192.0.0.1/28]` or `src_ip= [192.0.0.1/28]` Search within the range of IPs from 192.0.0.0 to 192.0.0.15
Timestamps	Use any of the following syntax options to look for specific timestamp ranges: `YYYY-MM-DDThh:mm:ss.sss TO YYYY-MM-DDThh:mm:ss.sss` `YYYY-MM-DDThh:mm:ss.sss±hh:mm` Unix epoch milliseconds in UTC: `SSS` Search does not support an exact match on time fields (only time ranges).	`log_time: [2021-12-31T01:02:03.444 TO 2022-12-31T01:02:03.444]` `ingest_time:[123456789000 TO 223456789000]`
Range Search `TO` `>` `<` `>=` `<=`	Range of values with lower and/or upper limits, expressed as numeric values. `field_name : low TO high` `field_name : >low` `field_name : <high` `field_name : >=low` `field_name : <=high` OR `field_name >= value` `field_name <= value` `field_name > value` `field_name < value` `field_name = value`	`num_pages: [10 TO 50]` Note Ranges are inclusive. [10 TO 50] means 10 and 50 are included in the search results. `num_pages: >50` `log_time: [2021-12-31T01:02:03.444 TO 2022-12-31T01:02:03.444]` `flow_end_time: [123456789000 TO 223456789000]`
Operators	Joining of two or more criteria: `AND`—Both terms must exist `OR`—either term may exist	`user: "joe" AND host : "201.45.34.24"` Look for records with both `joe` and `201.45.34.24` in their respective fields. `user: "joe" OR country: "jane"` Look for records with either `jane` or `joe` in field `user`.
Negative Terms `NOT`	Term must not exist.	`user:"joe" AND NOT country:"US"` Look for records with `joe` but without `US` in their respective fields.
Grouping `( )`	Multi-term search processed first by criterium set in parentheses.	Parentheses are supported for grouping expressions. `((subject: "user" OR subject: "app") AND product: "Windows")` `subject: ("user", "app") AND product: "Windows"` `((subject = "user" OR subject: "app") AND product = "Windows")` `subject= ("user", "app") AND product= "Windows"` Look for records with a `user` or `app` in the `subject` field, that also has `Windows` in the `product` field. Note Limitations: This does not work for a single expression. This syntax results in an error: `(exa_category:"Web") AND network:"HTTP"`
Regex	For complex search queries, use Regex (RGX) Operators.
Wildcards	The wildcard symbol, "*" is not allowed in search queries as a standalone expression, but could be used with Wildcard (WLD) Operators.