Skip to main content
Sumo Logic

Keyword Search Expressions

Boolean logic and wildcards enable you to search for multiple terms, express logic about term distribution within messages, and specify partial terms with wildcards. The keyword expression also encompasses search metadata for fields such as _collector, _sourceCategory, _sourceName, and _sourceHost.

Click any term from the messages listed in the Message tab to add it to the keyword search expression (AND term). Alt-click any term to remove the term from results (NOT term or !term). Run the query again to match the new keyword expression.

Syntax

  • keyword keyword OR keyword NOT keyword
  • *key*
  • AND is implicit
  • _sourceCategory="words with spaces or special characters"
  • _sourceHost=*keyword*

Rules

  • AND is implicit.
  • Supports Boolean operators AND, OR, NOT.
  • Precedence of Boolean operators is Parentheses, NOT, AND, OR.
  • Supports * for zero or more characters.
  • Supports Sumo Logic metadata fields created during configuration of Collectors and Sources, like _sourceHost, _sourceCategory, and  _sourceName.
  • Punctuation characters are allowed (- _ : / . + @ # $ % ^).
  • Keyword phrases, such as terms containing spaces or special characters, must be enclosed in quotes (" ").
  • Keyword searches are case-insensitive.

Examples

  • *
  • error OR fail error AND fail*
  • (error OR fail) and debug error* OR (fail and debug) error NOT fail
  • (error OR fail) NOT debug
  • 15:39 NOT 15:39:26
  • _sourceCategory="Sumo Logic Collector logs" AND critical
  • _sourceHost=ldapserver AND _sourceCategory="hr-dept" AND "failed login"
  • _sourceHost=Atlanta AND (_sourceCategory="win-app-logs" OR _sourceName="win-firewall-logs")
  • _sourceHost="10.1.12.22" AND_sourceCategory="my category" NOT _sourceCategory="some-other" AND _sourceName="/var/log/some.log"

 

​​​​​​​