Search Expression Rules

Various rules apply when you enter a search expression.

  • Use Boolean operators, such as AND, OR, or NOT for your search expression (but do not begin the expression with leading NOT)
  • Use wildcard characters, such as an asterisk (*) or question mark (?) to match strings (but do not begin the expression with the wildcard)
  • Do not use < or > as these are not valid characters
  • Use parentheses to force an order of operations when the index search evaluates the search expression
  • Enter up to 4096 characters for your search expression
  • When using Index Search and Tag Based search, the system does not support the use of search patterns shorter than 3 characters

Index Searches are case insensitive, so you do not have to use all uppercase letters when using Boolean operators, although it helps readability.

Some simple Index Search examples are listed in the following table.

Index Search Examples
Index Search Example Rule
tcp Use search expressions containing at least three characters.
authenticate AND failed

Tcp NOT Udp

Use Boolean operators, such as AND, OR, or NOT.
admin*

10.*

Use wildcard characters such as an asterisk (*) or a question mark (?) as shortcuts to match strings.
Note: Wildcard character Index Search on IPv6 addresses work only if the asterisk or question mark is at the end of the address. The following examples demonstrate that the wildcards do not work if they are used anywhere else in the address:

2001:db8::ff00:42:83??

2001:db8::ff00:*:8329

2001:db8::ff0?:42:8329

2001:db8::ff0*:42:8329

2001:db8::????:42:8329

(tcp and udp) and service Use a delimiter such as parentheses to specify what gets evaluated first. In this example, tcp and udp are evaluated before the service keyword.