Build a Query
Syntax for a basic query includes the following elements:
| Element | Examples |
|---|---|
| Searchable Field | User, Origin Host IP, Collector ID |
| Operator | =, CONTAINS, AND |
| Term | John Smith, 10.128.65.193, linux |
Axon is equipped with a navigation suggestion service that provides valid suggestions based on inputs the user supplies while building a search.
Basic Search Rules
Searches are case insensitive.
EXAMPLE
The following search terms return the same results:
- john smith
- John Smith
- JOHn sMith
Quotes enforce order.
EXAMPLE
user = "John Smith"
- The results include users with the order John Smith. A user with the order Smith John is excluded.
user = John Smith
- The results include users with John Smith and Smith John.
Blank or anything can be used as search terms.
EXAMPLE
| Operator and Search Term | Results |
|---|---|
| = Blank or = blank | Includes records where the searchable field has nothing in it. |
| CONTAINS anything | Includes records where the searchable field has any value in it. 
This is an unrestricted search that is likely to return a large number of records. |
Time fields can be searched using relative time terms.
EXAMPLE
Use the = operator with relative time terms:
| Relative Time Term | Description | Relative Time Options |
|---|---|---|
| now-15m | The last 15 minutes. | The examples in this table are not exhaustive. You can use any relative time. For example, if you want to search the last 24 hours, you can use now-1d, now-24h, or now-1440m. |
| now-30m | The last 30 minutes. | |
| now-1h | The last hour. | |
| now-12h | The last 12 hours. | |
| now-1d | The last day. | |
| now-7d | The last 7 days. | |
| now-1M | The last month. | |
| now-3M | The last 3 months. |
Basic Search Examples
EXAMPLE - Exclude exact term with order enforced
user != "John Smith"
| Searchable Field | user |
|---|---|
| Operator | != |
| Term | "John Smith" |
Search results: Excludes logs with user field that contains case insensitive instances of John Smith in that order.
EXAMPLE - Include exact term in any order
user = john smith
| Searchable Field | user |
|---|---|
| Operator | = |
| Term | john smith |
Search results: Includes logs with user field that contains case insensitive instances of john smith and smith john.
EXAMPLE - Contains term with order enforced
general_information.raw_message CONTAINS "accepted password"
| Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | "accepted password" |
Search results: Returns logs where general_information.raw_message has accepted password in that order and is case insensitive.
EXAMPLE - Contains term in any order
general_information.raw_message CONTAINS password accepted
| Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| Term | password accepted |
Search results: Returns logs where general_information.raw_message has the words password and accepted in no particular order and is case insensitive.
Compound Searches
Compound searches include additional requirements using NOT/AND/OR operators. This further narrows the parameters to limit the number of results a user needs to review.
Compound Search Examples
EXAMPLE - Include exact first term with order enforced AND contains second term with order enforced
user = "John Smith" AND raw message CONTAINS "unauthorized access"
| First Searchable Field | user |
|---|---|
| Operator | = |
| First term | "John Smith" |
| Compound Operator | AND |
| Second Searchable Field | raw message |
| Operator | CONTAINS |
| Second Term | "unauthorized access" |
Search results: Includes any logs where the user field contains John Smith that also have a raw message with the words unauthorized access in that order anywhere in the body of the message.
EXAMPLE - Contains first term OR contains exact second term
general_information.raw_message CONTAINS user OR unattributed.host.ip_address.value = 10.128.65.193
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| First term | user |
| Compound Operator | OR |
| Second Searchable Field | unattributed.host.ip_address.value |
| Operator | = |
| Second Term | 10.128.65.193 |
Search results: Includes logs where the raw message contains the word user OR where the Host IP Address is 10.128.65.193.
EXAMPLE - First searchable field from the last day contains any value
general_information.raw_message CONTAINS anything AND general_information.standard_message_time = now-1d
| First Searchable Field | general_information.raw_message |
|---|---|
| Operator | CONTAINS |
| First term | anything |
| Compound Operator | AND |
| Second Searchable Field | general_information.standard_message_time |
| Operator | = |
| Second Term | now-1d |
Search results: Includes logs from the last day where general_information.raw_message has any value in it.