Skip to main content
Skip table of contents

Hunt Page - Search

This document acts as a baseline for LogRhythm NDR customers where they can now reference to construct searches, learn about field names, refer to a schema, etc. The features of the Search functionalities and the best practices for using the Search feature are encompassed in this document.

Phrase Searches

To search for an exact phrase, enclose the search phrase in double quotes.

Example: Searching for entry_type "AlertEvent" would only match documents containing that exact phrase.

Range Searches

To search for fields with numeric or date values, search for ranges using the greater than (>) and lesser than (<) symbols. 

Example: Searching for event_certainty called an anomaly "event_certainty:>50" would match documents with an event_certainty greater than 50.

Exists Queries

To find documents with a specific field, use the _exists_ query. 

Example: Searching for _exists_:term would match documents with the "term" field populated.

Combining Queries with Boolean Operators

Elasticsearch supports Boolean operators like AND, OR, and NOT. These operators can be used to combine multiple search conditions. 

Example:

  • Use the AND operator to pull multiple terms: term1 AND term2

  • Use the OR operator to search for either of the terms: term1 OR term2

  • Use the NOT operator to exclude specific terms: term1 NOT term2

Fuzzy Searches

Use fuzzy queries if a certain level of spelling mistakes or typos can be allowed in the search. Fuzzy queries find terms that are similar to the specified term.

Example: Searching for "hst" would match documents with terms like "host" and "host_uuid".

Wildcard Searches

Wildcard characters can be used to match patterns within the search queries. The asterisk (*) represents any number of characters, while the question mark (?) represents a single character. 

Example: Searching for "Event" would match documents with names like "AlertEvent".

The following table represents few of the available operators discussed above:

Operators

Example

Description

Match (Phrase Search)

fieldname: 'value'

If you want to search for an exact phrase, you can enclose the phrase in double quotes.

AND (Combining Queries with AND Operator)

  • fieldname: ('value1' AND 'value2')

  • fieldname:'value1' AND fieldname:'value2'

Elasticsearch supports Boolean operators like AND. These operators can be used to combine multiple search conditions. 

The AND operator can be used to obtain multiple terms.

OR (Combining Queries with OR Operator)

  • fieldname: ('value1' OR 'value2')

  • fieldname: 'value' OR fieldname:'value2'

Elasticsearch supports Boolean operators like OR. These operators can be used to combine multiple search conditions.

The OR operator can be used to search for either of the terms.

NOT (Combining Queries with NOT Operator)

  • fieldname: ('value1' NOT 'value2')

  • fieldname:'value1' NOT fieldname:'value2'

Elasticsearch supports Boolean operators like NOT. These operators can be used to combine multiple search conditions.

The NOT operator can be used to exclude specific terms.

Phrase Search

-fieldname:'value'

If you want to search for something without the exact phrase, add “-” at the beginning and enclose the phrase in double quotes.

EXISTS (Exists Queries)

_exists_:fieldname

You can use the _exists_ query to find documents with a specific field. 

> or < (Range Search)

  • fieldname:>50

  • fieldname:<50

If you have fields with numeric or date values, you can search for ranges using the greater than (>) and lesser than (<) symbols. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close