Using Text Search Syntax

The search feature uses the Apache Lucene syntax. Lucene’s query parser interprets the following as special characters:

+ - && || ! ( ) { } [ ] ^ " ~ * ? : \

Do not use * or ? at the start of your search string because this syntax returns nothing.

Do not use the wildcard for IPv6 address searches. Instead, enter the exact IPv6 address.

If your query string includes any of these special characters, escape them with a backward slash (\) for your query to work correctly. For example, if your search string includes (1+1):2, you write it as

\(1\+1\)\:2

However, if your query string starts with a special character other than * or ? which is not allowed, enclose the entire string in double quotes. For example, to search for this Resource ID:

    ^VVsOXg4BABCAIEuBhILMyg==

Enter

    "^VVsOXg4BABCAIEuBhILMyg=="

in the query text field. You also use double quotes to enclose a phrase, such as

“keep them together”

For additional information about the Apache Lucene syntax, go to

https://lucene.apache.org/core/5_5_1/queryparser/org/apache/lucene/queryparser/classic/package-summary.html

and refer to the topic, Query Parser Syntax. Write your queries using the documented conventions.

Apache Lucene Syntax Relevant to Querying for Resources
Query Elements	Descriptions
Full or partial strings	Phrases, words, or partial words. Examples: "Attack Notification" notification notif
Wildcards	Question marks (?) for single-character substitutions and asterisks () for multi-character substitutions. Do not use wildcards to start the search string. Do not use wildcards to search for IPv6 addresses. Use the full IPv6 address instead. Examples:* attack?? name:"attack??" attack*
Boolean Operators	Use AND and OR to join strings. Examples: attack AND high AND compromise attack OR high OR compromise
Fields	Resource field labels (grid view columns) followed by a colon, with the data expressed as plain strings, Boolean strings, quoted strings, or parenthetical expressions. Examples: type:datamonitor AND name:"event counts" name:"address space" name:(address+space) name:(address space)
Exclusion	Use NOT, the minus sign (-), and the exclamation point (!) to exclude strings. Examples: at???? -attack at???? NOTattack at???? !attack at???? !attack !type:File
Proximity	Extend data-field queries' scope with a proximity factor expressed as a numeral following a tilde (~). The numeral sets the maximum number of words allowed between the specified words in the resources found. Examples: `name`:("top events"~1) `name`:("top events"~2)
Fuzzy	Broaden query results with a relative letter-substitution factor expressed as a decimal fraction following a tilde (~). The values 0.0 to 0.9 apply, with the higher values increasing the substitutions made in the string. Examples: name:mssp~0.2 name:mssp~0.0

Entering Values: Examples
Fields	Details
Dropdown fields	For dropdown fields that offer a list of values, enter the specific list item. For example, for a case's Ticket Type, enter Internal.
Dropdown fields with code and value pairs	For dropdown fields that offer a list of codes and their corresponding values, enter the code only. For example, for a case's Frequency, enter 0 to denote Never or Once.
Search narrowed to specific fields	To narrow your research to a resource's specific field, use the format `resource:fieldName=somevalue` For example: case:name=MyCase The fieldname must match the database column name. Column names follow the camelcase format. You can derive the fieldname from the field's label on the Console. For examples: If the label is Name, the fieldname is name. If the label is Ticket Type, the fieldname is ticketType. If the label is Estimated Restore Time, the fieldname is estimatedRestoreTime.

Tip: Refer to How Fields are Indexed for information on how to fine tune your search index level.