You can use the list of existing fields to search log events with specific values for a field.

Important: VMware Aria Operations for Logs indexes complete alphanumeric, hyphen, and underscore characters.

Prerequisites

Verify that you are logged in to the VMware Aria Operations for Logs web user interface as a user associated with the User role, or a role that has the relevant permissions. For more information, see Create and Modify Roles in Administering VMware Aria Operations for Logs. The URL format of the web user interface is https://operations_for_logs-host, where operations_for_logs-host is the IP address or host name of the VMware Aria Operations for Logs virtual appliance.

Procedure

  1. Expand the main menu and click Explore Logs.
  2. Click Add Filter.
  3. In the filter row under the search text box, use the first drop-down menu to select any field defined within VMware Aria Operations for Logs.

    For example, hostname, text, _index, and so on. If you select the _index field, you can query logs from an existing index partition, which lists a specific subset of events based on the partition filter and renders quick results.

    Filter options on the Explore logs page.

    The list contains all defined fields that are available statically, in content packs, and in custom content.

    Fields are sorted by name, except for the text and _index fields. Because text is a special field that refers to the message text, text appears at the top of the list, and is selected by default. Because _index is also a special field that refers to index partitions, _index appears after the text field in the list.

    Note: Numeric fields contain additional operators that string fields do not: =, >, <, >=, <=. These operators perform numeric comparisons and using them yields different results than using string operators. For example, the filter response_time = 02 will match an event that contains a response_time field with a value 2. The filter response_time contains 02 will not have the same match.
  4. In the filter row under the search text box, use the second drop-down menu to select the operation to apply to the field selected in the first drop-down menu.
    For example:
    • Select is or is not. These filters match the full name. Using is for the _index field matches all the events stored in the specified index partition. Using is not for the _index field matches all the events that are not stored in the specified index partition.
    • Select contains. The contains filter matches full tokens: searching for "err" will not find "error" as a match. Using contains for the _index field matches glob patterns in all existing index partitions.
  5. In the text box to the right of the filter drop-down menu, type the value that you want to use as a filter.
    You can list multiple values separated by comma. The operator between these values is OR.
    Note: The text box is not available if you select the exists operator in the second drop-down menu.
  6. (Optional) To add more filters, click Add Filter.
    Note: You can add only one filter using the _index field. However, after adding a field with the _index field, you can add more filters using other fields.
    A toggle button appears above the filter rows.
  7. (Optional) For multiple filter rows, select the operator between filters.
    Option Description
    all Select to apply the AND operation between filter rows
    any Select to apply the OR operation between filter rows
    The Match drop-down menu on the Explore Logs page.By default, all is selected.
    Note: The _index field is considered a supplemental field. When you include this field in a filter, the filter is combined with filters containing other fields using the AND operator. However, you can select the OR operator to combine filters with non- _index fields.
  8. Click the Search button.

Example: Search for a Group of Hosts that Have a Common String in Their Names

Assume that you have several hosts that have a host with the following name: w1-stvc-205-prod3, and another host that is called w1-stvc-206-prod5.

To find all logs for both hosts, create the following query.

  1. Leave the search text box empty.
  2. Define the filter.
    1. Select hostname from the field drop-down menu.
    2. Select starts with from the operator drop-down menu.
    3. Type w1-stvc in the value text box.

    Alternatively, you can use the contains operator, but then you must use a glob in the search value. In this example, you must type w1-stvc-* in the value text box.

  3. Click the Search button.

What to do next

You can save the current query to load it at a later stage.