The Search Field

You can enter queries in any of the supported languages (SQL or EQL), retrieving data from data models, with filters of any kind such as LIKE, regular expressions, comparison operators, math, functions, and so on. You can use single or multiple terms.

Enter USE to start an EQL statement and enter SELECT to start an SQL statement. You can search data based on Bloks. For details on how to add a new Blok or use the existing Bloks, see Bloks.

For example, enter the following query in the Search field to retrieve events from the system data model within the last hour: 

use system | sys_eventTime in -1h:NOW

The system data model refers to all the data in the system.

Note: Copying a query from a Rich Text Format (RTF) application (such as Microsoft Word) to LogLogic LMI might interfere with query processing. For example, when you copy the query, extraneous characters might be added, or straight quotation marks (") might be replaced with curly quotation marks (”), which are not part of a correct query string. Therefore, when copying from a rich-text source, review the search query syntax and correct any errors before proceeding.

To view system notifications, if any, click the icon in the upper-right corner of the page.

To close all search tabs at once, click the Close icon (X).

To view search results, click .

Additional assistance

You can use the following components to help you form a query quickly:

Log source picker
Instead of using data model names in the Advanced Search query, you can search by specific log sources. Click Select Log Sources, and then select multiple log sources from the log source picker. A query is automatically generated and displayed in the search field. For more information, see Log Source Picker.
Content Assist
You can use suggestions from a content assistant to help you create the search query. As you start typing, the Content Assist feature shows contextual matches and completions for each keyword into the Search field. For more information, see Content Assist.