Query Expressions

A query expression is a set of conditions used to select events when a search is performed. An expression can specify a very simple term to match such as “login” or an IP address; or it can be more complex enough to match events that include multiple IP addresses or ports, and that occurred between specific time ranges from a specific storage group.

Specify the query in the Search text box by using the following syntax:

<Indexed Search> | <Search Operators>

The query expression is evaluated from left to right in a pipeline fashion. First, events matching the specified Indexed Search portion of the query are found. The search operator after the first pipe (|) character is then applied to the matched events followed by the next search operator, and so on to further refine the search results.

The search results table and the histogram display the events that match the query as they are found. As additional events are matched, the search results table and the histogram are refreshed. Aggregation operators such as HEAD and TAIL, require a query to finish running before search results can be displayed. See Search Operators for more information.

The indexed search section of the query is described in Indexed Search Portion of a Query.
The search operator portion of the query is described in Search Operator Portion of a Query.
Additional points to take into consideration when writing queries are described in About Building Search Queries.