In This Article
- Log Search
- Using Search Assistant
Search functionality for Alert Logic® log management data types has been completely revised to provide a more simplified log search experience. Log search was previously supported by OmniBox and now utilizes an SQL-type text string search with an advanced search assistant and projection editor. The new log search bar can be found within the Alert Logic console at Search > Log Search BETA.
Note: Improved log search is available for all customers alongside the existing OmniBox log search, which can be found at Search > Log Messages. OmniBox will be deprecated in the coming months.
New log search utilizes SQL-like text strings to create logical operator statements. If you are familiar with SQL, simply type your operators, AND statements, and OR statements into the WHERE field. To quickly clear your search, click CLEAR in the top left corner of the search bar.
Note: If you are not familiar with SQL, we recommend that you take advantage of the Search Assistant.
If your search contains invalid syntax, a warning icon () will appear to the left of the search field. Mouse over the warning icon for details on where the invalid syntax is located. Additionally, if your search query contains invalid syntax, you will not be able to perform the search.
For more information on valid operators and log search syntax guidelines, see the Search: Log Messages documentation.
New log search provides several features to help you find and save log messages and their properties with ease.
You can choose the time frame that a query searches on by clicking the time frame down arrow in the top right corner of the search bar. You can choose from several pre-determined time frames or create your own with the calendar.
You can manage the fields that appear in your search results table by editing projections in the PROJECTIONS field. The default projections are a time stamp column followed by a log message column and ordered by descending time received. You can add any other available projections, which can be found in the Projections column of Search Assistant.
Example: To add a message type field in your search results, edit your projections statement to look like the following:
SELECT log:timestamp, log:message, [Message Type]
Projections can also be edited via Search Assistant if you are not familiar with SQL or need guidance.
When you perform a log search that you believe will come in handy in the future, you can save that exact search query for future use. Once you have performed the search, click SAVE in the top right of the search bar. Name your search and then schedule a time for your search to run if you like.
You can find all saved and scheduled searches under Search Assistant > Saved Searches or Recently Scheduled Searches. Here, you can run the searches again, review a scheduled search’s results, and export search results.
Note: Saved searches are shared by all users of a CID, so anyone under your organization can utilize those that you created.
You can complete string searches, which will find any log message with that text within it, by simply typing the string you want to search for. The Search Assistant will only offer a “LOG MESSAGE CONTAINS” option. Choose that option to add it to the search.
Without the use of Search Assistant, use the following text string to search for plain text:
log:message CONTAINS "[desired text]"
New log message search provides several features to help you manage the log results that a search has returned.
Once your search results have loaded, the default view is of 50 log messages per page. You can change this to show 10 or 100 messages by clicking the results per page drop down () in the top left of the results table.
Preview a log message’s details by clicking on the message. Additional details will appear, including the full log message, log source properties, and - if the message has been parsed - tokens associated with the message. From the preview, you can export the information to a downloadable CSV file or bookmark for easy finding later.
Hover over a field in the message and the associated token in the token train below will be highlighted. This allows you to associate a token with a piece of the log message. Selecting a token from the token train both highlights its counterpart in the log message and adds the token to your search.
Open the full details of a log message by clicking Open from the preview. This opens the log message’s full details in a new tab and on a new page. This new page has a unique URL, which allows you to easily share with other users and to maintain your current search query.
You can export results of a search by selecting the results that you would like exported by selecting the check boxes to the left of the log message and then clicking the export icon () in the bottom right corner of the screen. The chosen results will be converted to CSV for you to download and mange easily outside of the Alert Logic console.
Note: In order to export all results from a search, you must first save the search with a name and schedule. More information on saving and scheduling a search is available in the Create & Schedule a Saved Log Search knowledge base article.
If you believe that a log message needs to be escalated and remediated, you can create an incident straight from the search results or from a log message's full detail page. From the search results list, open the log message's preview, then click the Create Incident icon () in the bottom right corner of the preview. Alternately, from the full details page, click the Create Incident icon in the top right corner. A side panel will appear, within which you can add summary, description, classification, and time frame details for the incident. This will create an incident for the log message, which will then appear in your Open incident list in the Incident Console.
Note: You can create incidents in bulk by selecting the check boxes for several log messages and then selecting the Create Incident icon in the blue box that appears in the bottom left corner of the screen.
You can bookmark any search results of interest to you so that you can easily find it later. You can do so be either clicking on the message to open the preview and clicking the bookmark icon () or by bulk selecting several messages and clicking the bookmark icon in the bottom right corner of the screen.
Further, you can filter out all log message results that are not bookmarked to see a full list of bookmarked results by clicking the bookmark filter icon in the top left corner of the search results.
Note: When a message is bookmarked, you will see the bookmark icon to its left in the search results.
You can take bulk actions on search results in two ways. You can select the check boxes to the left of only the log messages on which you would like to take action or you can check the bulk actions box in the top left corner of the search results and choose all results. Once you have bulk selected results, you can export, bookmark, or create incidents by selecting the appropriate icon in the blue box in the bottom left corner of the screen.
Note: If your total search results show as an approximate number, selecting the bulk actions check box will not choose all results, as all results are not available. In order to surface the exact number of results, and thus take bulk actions on the exact number of results, you must find the search within Search Assistant's Recent Searches column and re-run it.
If you are not comfortable with SQL, it is highly recommended that you utilize Search Assistant. Search Assistant is a very useful tool that allows you to put together valid searches with the click of your mouse. Search Assistant is open by default, but if you would like to close it, click the X in the top left corner.
You will see a scrolling column of valid suggestions and properties that you can choose from to search on. Select the expand icon (>) of the appropriate Namespace and Operators to move further into available options, and then select the plus sign icon () to the right of a Suggestion option to add it to your search. As you choose from the first column, suggestions will change and additional columns will appear.
With Search Assistant, you have the option to type directly into the search field or to click your operators in the Search Assistant drop-down menu. When you choose an operator, it will be added to the end of the string unless you have moved your cursor elsewhere in the string.
Keyboard suggestions will show as you begin typing or choosing operators, with which you can either click on to add to the search or type in yourself.
Search Assistant houses all your saved, scheduled, and recently run searches under the Saved Searches, Recently Scheduled Searches, and Recent Searches columns.
Click on a Saved or Recent search to have it automatically populated into your search fields, where you can edit it if necessary, before running the search again. Hover over it to see a more detailed description before committing it to your search fields.
Note: A scheduled icon to the right of a saved search indicates that a saved search is scheduled to run at some point in the future.
View or export results of a completed search by clicking on the search and choosing either View Results or Export Results.
Further information on using Saved and Scheduled searches are available in the following knowledge base articles: