You can use the list of existing fields to search log events with specific values for a field.
Important:
vRealize Log Insight indexes complete, alphanumeric, hyphen, and underscore characters.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a user associated with the User role, or a role that has the relevant permissions. For more information, see Create and Modify Roles in Administering vRealize Log Insight. The URL format of the web user interface is https://log_insight-host, where log_insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
- Expand the main menu and click Explore Logs.
- Click Add Filter.
- In the filter row under the search text box, use the first drop-down menu to select any field defined within vRealize Log Insight.
For example,
hostname,
text,
_index, and so on. If you select the
_index field, you can query logs from an existing index partition, which lists a specific subset of events based on the partition filter and renders quick results.
The list contains all defined fields that are available statically, in content packs, and in custom content. Fields are sorted by name, except for the
text and
_index fields. Because
text is a special field that refers to the message text,
text appears at the top of the list, and is selected by default. Because
_index is also a special field that refers to index partitions,
_index appears after the
text field in the list.
Note: Numeric fields contain additional operators that string fields do not:
=,
>,
<,
>=,
<=. These operators perform numeric comparisons and using them yields different results than using string operators. For example, the filter
response_time
=
02 will match an event that contains a
response_time field with a value 2. The filter
response_time
contains
02 will not have the same match.
- In the filter row under the search text box, use the second drop-down menu to select the operation to apply to the field selected in the first drop-down menu.
For example:
- Select is or is not. These filters match the full name. Using is for the _index field matches all the events stored in the specified index partition. Using is not for the _index field matches all the events that are not stored in the specified index partition.
- Select contains. The contains filter matches full tokens: searching for "err" will not find "error" as a match. Using contains for the _index field matches glob patterns in all existing index partitions.
- In the text box to the right of the filter drop-down menu, type the value that you want to use as a filter.
You can list multiple values separated by comma. The operator between these values is OR.
Note: The text box is not available if you select the
exists operator in the second drop-down menu.
- (Optional) To add more filters, click Add Filter.
Note: You can add only one filter using the
_index field. However, after adding a field with the
_index field, you can add more filters using other fields.
A toggle button appears above the filter rows.
- (Optional) For multiple filter rows, select the operator between filters.
Option |
Description |
all |
Select to apply the AND operation between filter rows |
any |
Select to apply the OR operation between filter rows |
By default,
all is selected.
Note: The
_index field is considered a supplemental field. When you include this field in a filter, the filter is combined with filters containing other fields using the AND operator. However, you can select the OR operator to combine filters with non-
_index fields.
- Click the Search button.
Example: Search for a Group of Hosts that Have a Common String in Their Names
Assume that you have several hosts that have a host with the following name: w1-stvc-205-prod3, and another host that is called w1-stvc-206-prod5.
To find all logs for both hosts, create the following query.
- Leave the search text box empty.
- Define the filter.
- Select hostname from the field drop-down menu.
- Select starts with from the operator drop-down menu.
- Type w1-stvc in the value text box.
Alternatively, you can use the contains operator, but then you must use a glob in the search value. In this example, you must type w1-stvc-* in the value text box.
- Click the Search button.
What to do next
You can save the current query to load it at a later stage.