Basic Queries
Syntax for a basic query includes the following elements:
Element | Example |
---|---|
Metadata Field | classificationName |
Colon | : |
Standard Open Quotation Mark | " |
Term | Malware |
Standard End Quotation Mark | " |
Type a query using the following basic syntax:
metadataField:"term"
EXAMPLE
- To run a query for all activity that falls under the Malware classification:
classificationName:"Malware" - To run a query for the impacted user account jon.smith:
account:"jon.smith"
Lucene search is case sensitive for the metadata field value. Therefore, when entering the metadata field value, you must use the correct capitalization. If your metadata field value does not exactly match the capitalization, the LogRhythm Web Console widgets return No data available error messages.
For example, when searching on the metadata field classificationName:
Metadata Field Value Entered | Search Result |
---|---|
classificationName | Filtered data |
Classificationname | No data |
classificationname | No data |
ClassificationName | No data |
In contrast, Lucene search is not case sensitive the term value.
For example, when searching on the term Malware:
Term Value Entered | Search Result |
---|---|
Malware | Filtered data |
malware | Filtered data |
MalWare | Filtered data |
malWare | Filtered data |
For more detailed information on metadata fields and correct capitalization, see the Metadata Fields section.
Special Characters
Certain reserved characters must be escaped within the query. To escape a special character within the query syntax, use a backslash before the character. Special characters that require this treatment are: + - && || ! ( ) { } [ ] ^ " ~ * ? : \
EXAMPLE
- To run a query for an origin user whose name is jon*:
login:"jon\*" - To run a query for an origin user whose name is jon.smith-miller:
login:"jon.smith\-miller"