V1 - Search Query Functions

Search 'query' parameter

The "query" parameter consists of one or more search expressions and the boolean operators and, or and not:

Example:

  search {options} expression1 and expression2 not expression3 ... expressionN

Usage

The following expressions are supported:

sContent(field, value)

  search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn")

sContains(field, value)

  search {from="-3d@d",to="@d"} sContains("@event_type","Sign")

sStartswith(field, value)

  search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure")

sEndswith(field, value)

  search {from="-3d@d",to="@d"} sEndswith("@event_type","SignIn")

sRange(field, from, to)

  search sRange("__size__","1","800")

sRegexp(field, field, value)

  search sRegexp("@fields.isprime","y.*")

sEntityinfo(field, entityname)

  search sEntityinfo("@fields.EventID","AD_EventID")

sIsnull(field): If all the elements of this field are null or empty, return "true".
sWildcard(field): only keep the non-empty elements of a field

All content search functions start with "s" has two modes: when used in a "search" pipe, the expected field name must be a field name in full path. Otherwise the field argument must be variable (see sContent for examples).

Examples

The follow are some commonly used queries:

Page last updated: 2022 Oct 18

V1 - Search Query Functions

Search 'query' parameter​

Usage​

Examples​

Search 'query' parameter

Usage

Examples