Basic concepts for creating message queries.

You can enter message queries by using the Search bar, or by entering filters.

Use the search bar to refine the results for events in a VMware Aria Operations for Logs instance. While you can use a filter instead of the search bar, it is often easier to understand a query that leverages the search bar over an equivalent filter. The best practice is to use the search bar instead of an equivalent filter when possible.

A filter allows you to create queries by using a regular expression, a field, logical OR operation, or a combination of search bar and filter queries.

When you create queries by using the search bar and filters, the following best practices apply:

• Ensure queries are not environment specific. Public content packs need to be generic to any environment and as such need not to rely on environment specific information. Examples of environment specific information include source, hostname, and potentially facility if the facility uses local*.
• When constructing a query, use keywords when possible, when keywords are not sufficient use globs, and when globs are not sufficient use regular expressions. Keyword queries are the least resource intensive type of query. Globs are a simplified version of regular expression and are the next least resource intensive type of query. Regular expressions are the most expensive type of query.
• Provide as many keywords as possible when using regular expressions or fields. If a regular expression includes a logical OR, for example this|that, do not include keywords. VMware Aria Operations for Logs is optimized to perform keyword queries prior to regular expressions to minimize regular expression overhead.