You can search and filter log events on the Interactive Analytics tab.
You can type any complete keywords, globs, or phrases in the search text box and click Search to find only events that contain the specified keywords.
You can specify the time range on either the Dashboards or Interactive Analytics pages in the web user interface. Time ranges are inclusive when filtering.
You can search for log events that match certain values of specific fields. Using quoted text in the main search field will match exact phrases. Entering space in the main search field is a logical AND operator. Search uses only full tokens: searching for "err" will not find "error" as a match.
You can specify the field search criteria, or filters, by using the drop-down menus and the text box above the list of log events.
Within a single-row filter, you can use comma-separated values to list OR filters. For example, select hostname contains and type 127.0.0.1, 127.0.0.2. The search returns events with the host name 127.0.0.1 or 127.0.0.2.
The text contains filter treats each comma separated value as a complete keyword.
Queries with fields using the internal query language syntax names, for example, from or in, are not able to be processed and should not be used.
You can combine multiple field filters by creating a new filter row for each field. You can toggle the operator that is applied to multiple-row filters .
Select all to apply the AND operator.
Select any to apply the OR operator.
Regardless of the toggle value, the operator for comma-separated values within a single filter row is always OR.
You can use globs in search terms. For example, vm* or vmw?re.
Use * for 0 or more characters
Use ? for one character.
Globs cannot be used as the first character of a search term. For example, you can use 192.168.0.*, but you cannot use *.168.0.0 in your filtering queries.