Boolean and grouping operators

There are a few operators that you can use to refine your searches (note that these operators must be in uppercase to not be considered search terms):

• AND is implied between terms. For instance, error mary (two words separated by a space) is the same as error AND mary.
• OR allows you to specify multiple values. For instance, error OR mary means find any event that contains either word.
• NOT applies to the next term or group. For example, error NOT mary would find events that contain error but do not contain mary.
• The quote marks ("") identify a phrase. For example, "Out of this world" will find this exact sequence of words. Out of this world would find any event that contains all of these words, but not necessarily in that order.
• Parentheses ( ( ) ) is used for grouping terms. Parentheses can help avoid confusion in logic. For instance, these two statements are equivalent:
  • bob error OR warn NOT debug
  • bob AND (error OR warn)) AND NOT debug
• The equal sign (=) is reserved for specifying fields. Searching for an equal sign can be accomplished by wrapping it in quotes. You can also escape characters to search for them. \= is the same as "=".
• Brackets ( [ ] ) are used to perform a subsearch. We will discuss this in Chapter 6, Advanced Search Examples.

You can use these operators in fairly complicated ways if you want to be very specific, or even to find multiple sets of events in a single query. The following are a few examples:

• error mary NOT jacky
• error NOT (mary warn) NOT (jacky error)
• index=myapplicationindex ( sourcetype=sourcetype1 AND ( (bob NOT error) OR (mary AND warn) ) ) OR ( sourcetype=sourcetype2 (jacky info) )

This can also be written with some whitespace for clarity:

index=myapplicationindex
(
sourcetype=security
AND
(
(bob NOT error)
OR
(mary AND warn)
)
)
OR
(
sourcetype=application
(jacky info)
)