Searching datasets

Searching a dataset is easy.

Use the from command to read data located in any kind of dataset, such as a timestamped index, a view, or a lookup. The only required syntax is:

from <dataset-name>

This simple search returns all of the data in the dataset. That might be a lot of data. You should try to narrow down the results returned from the dataset by adding filters to your search. You can use filters to specify what you are looking for or what you want to exclude from your data.

To show you how this works, let's start with an event index called main, which is your dataset. The main index contains events with HTTP status codes. You want to find all of the events with a status code of 200.

You can search the main index using a simple search like this:

from main where status=200

This search returns events that have the value 200 in the status field.

Specifying field-value pairs in the where clause is one way to filter data. Identifying a time-range that you want to search is another way to filter your search results.

Specifying field-value pairs

When you specify a field-value pair, if the value is a <string> it must be enclosed in double quotation marks. For example, the following search looks for a specific value webserver1 in the host field. The value must be enclosed in double quotation marks.

from main where host="webserver1"

Likewise, numbers that contain other characters are interpreted as string values and must also be enclosed in double quotation marks. This includes things like IP addresses and phone numbers. For example:

from main where client_ip="192.0.2.0"

Field names that contain characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks. For example, the field in this search contains a dash ( - ) and must be in single quotations marks:

from main where 'client-ip'="203.0.113.0"

Next step

See Searching specific time ranges.