Boolean logic and wildcards enable you to search for multiple terms, express logic about term distribution within messages, and specify partial terms with wildcards. The keyword expression also encompasses search metadata for fields such as _collector, _sourceCategory, _sourceName, and _sourceHost.
Click any term from the messages listed in the Message tab to add it to the keyword search expression (AND term). Alt-click any term to remove the term from results (NOT term or !term). Run the query again to match the new keyword expression.
keyword keyword OR keyword NOT keyword
_sourceCategory="keywords with spaces or special characters"
- AND is implicit.
- Supports Boolean operators
- Supports * for zero or more characters.
- Supports Sumo Logic metadata fields created during configuration of Collectors and Sources, like _sourceHost, _sourceCategory, and _sourceName.
- Punctuation characters are allowed (
- _ : / . + @ # $ % ^).
- Expressions containing spaces or special characters must be enclosed in quotes (
- Keyword expressions are case-insensitive.
- Parentheses group search expressions and provide the structure necessary to perform complex queries. Parentheses are necessary only if both of the following conditions apply:
- The query includes three or more search expressions.
- The query uses both
ORoperators to link search expressions.
- Precedence of Boolean operators is parentheses,
error OR fail error AND fail*
(error OR fail) and debug error* OR (fail and debug) error NOT fail
(error OR fail) NOT debug
15:39 NOT 15:39:26
_sourceCategory="Sumo Logic Collector logs" AND critical
_sourceHost=ldapserver AND _sourceCategory="hr-dept" AND "failed login"
_sourceHost=Atlanta AND (_sourceCategory="win-app-logs" OR _sourceName="win-firewall-logs")
_sourceHost="10.1.12.22" AND_sourceCategory="my category" NOT _sourceCategory="some-other" AND _sourceName="/var/log/some.log"
Case sensitive keyword search
To search for case sensitive keywords use the parse regex operator.
For example, if you wanted to match all lowercase info, you could use this query:
info | parse regex "(?<dummy>info)"
<dummy> is a user added field that is not used for anything other than to enforce that "info" is all lowercase.
To convert a string to all lowercase or all uppercase letters, you can use the toUpperCase and toLowerCase operators.