Boolean logic and wildcards enable you to search for multiple terms, express logic about term distribution within messages, and specify partial terms with wildcards. The keyword expression can include built-in metadata fields such as _collector, _sourceCategory, _sourceName, and _sourceHost.
Click any term from the messages listed in the Message tab to add it to the keyword search expression (AND term). Alt-click any term to remove the term from results (NOT term or !term). Run the query again to match the new keyword expression.
keyword keyword OR keyword NOT keyword
_sourceCategory="keywords with spaces or special characters"
- AND is implicit.
- Supports boolean operators
- A wildcard
*can represent zero or more of any characters.
- Supports built-in metadata fields created during configuration of Collectors and Sources, like _sourceHost, _sourceCategory, and _sourceName.
- Supports custom log metadata fields.
- Punctuation characters are allowed (
- _ : / . + @ # $ % ^).
- Expressions containing spaces or special characters must be enclosed in quotes (
- Keyword expressions are case-insensitive.
- Parentheses group search expressions and provide the structure necessary to perform complex queries. Parentheses are necessary only if both of the following conditions apply:
- The query includes three or more search expressions.
- The query uses both
ORoperators to link search expressions.
- Precedence of boolean operators is
OR. Parentheses will override the precedence.
- Characters quoted with double quotes (not single quotes) are string literals. Use a backslash to escape double quotes in the string. Examples:
"They said, \"No later than 10\""
error OR fail error AND fail*
(error OR fail) and debug error* OR (fail and debug) error NOT fail
(error OR fail) NOT debug
15:39 NOT 15:39:26
_sourceCategory="Sumo Logic Collector logs" AND critical
_sourceHost=ldapserver AND _sourceCategory="hr-dept" AND "failed login"
_sourceHost=Atlanta AND (_sourceCategory="win-app-logs" OR _sourceName="win-firewall-logs")
_sourceHost="10.1.12.22" AND_sourceCategory="my category" NOT _sourceCategory="some-other" AND _sourceName="/var/log/some.log"
Case sensitive keyword search
By default, keyword expressions are case-insensitive. To search for case sensitive keywords use the parse regex operator. You should still specify the keyword in the scope of the query, before the first pipe "|", to keep the search efficient.
For example, if you wanted to search for the keyword "info" in lowercase, you could use this query:
| parse regex "(?<dummy>info)"
<dummy> is a user added field that is not used for anything other than to enforce that "info" is in lowercase.
Another example, if you wanted to search for the keyword "INFO" in uppercase, you could use this query:
| parse regex "(?<dummy>INFO)"
<dummy> is a user added field that is not used for anything other than to enforce that "INFO" is in uppercase.
To convert a string to all lowercase or all uppercase letters, you can use the toUpperCase and toLowerCase operators.