Skip to main content

V1 - Search - Log Events / Metaflow

In the FPL, data selection is done via the search command, for normal log (event/metaflow) data, and the load command, for special 'resources' data. The data selection is applied before all other FPL commands.

This following section (Data Load) will focus on the search command. See the following sections "Resources", for more information on how to use the load command.

The 'search' command

The search command uses the following syntax:

  search {options} query

Search 'options'

The available 'options' are for data 'type', and time selection parameters ('from' and 'to'). 

search {type="", from="", to=""} query

Possible options for type are 'event' and 'metaflow'. Note: If the 'type' option is not specified, the default value is 'event'.

Search 'time' parameter

To search within a specific time window, uses the following syntax:

  search {from="", to=""}

relative time: (< | > or @) (s | m | h | d | w | mon) (+|-)

  • <d+1h: to last day boundary then add one hour
  • >d+1h: to next day boundary then add one hour
  • -5d<d or -5d@d: five day ago, then align to begin of day

absolute time

  • RFC3339: "2006-01-02T15:04:05Z" OR "2006-01-02T15:04:05+04:00"
  • Local time: "2006-01-02T15:04:05" OR "20220102" OR "20220102_102030"

Note: if no timezone specified, the system timezone is assumed (per site configuration)

Example (searching within the past 3 days):

  search {from="-3d@d",to="@d"}

Visit the Time Selection page for details.

Search 'query' parameter

The "query" parameter consists of one or more search expressions and the boolean operators and, or and not:

Example:

  search {options} expression1 and expression2 not expression3 ... expressionN

The following expressions are supported:

  • sContent(field, value)
  search {from="-3d@d",to="@d"} sContent("@event_type","@azureSignIn")
  • sContains(field, value)
  search {from="-3d@d",to="@d"} sContains("@event_type","Sign")
  • sStartswith(field, value)
  search {from="-3d@d",to="@d"} sStartswith("@event_type","@azure")
  • sEndswith(field, value)
  search {from="-3d@d",to="@d"} sEndswith("@event_type","SignIn")
  • sRange(field, from, to)
  search sRange("__size__","1","800")
  • sRegexp(field, field, value)
  search sRegexp("@fields.isprime","y.*")
  • sEntityinfo(field, entityname)
  search sEntityinfo("@fields.EventID","AD_EventID")

  • sIsnull(field): If all the elements of this field are null or empty, return "true".

  • sWildcard(field): only keep the non-empty elements of a field

Visit the Query Functions section for details.

Page last updated: 2023 Apr 13