ESM 10x: New Boolean Operators available in Enterprise Log Search (ELS)

Version 1

    Enterprise Log Search (ELS) retains uncompressed log data for specific duration, speeding your ability to search the ELS data quickly from the ESM dashboard. Starting on version 10.0.2, new Boolean operations that will assist you for creating effective searches are supported.

     

    Here is a list of searching syntax examples using AND, OR, NOT operators:

     

    Searching using AND:

      • john doe
      • john and doe
      • john AND doe
      • john & doe

     

    Searching using OR:

      • john or doe
      • john | doe
      • john OR doe

     

    Searching using NOT, supported only with AND operator combination

      • john and not doe == john not doe
      • john and !doe  == john !doe
      • john and ! doe ==  john ! doe
      • john and NOT doe == john NOT doe

     

    Wrapping key words in quotes to search:

      • john and  "and" and doe

     

    Nesting Boolean operators is supported:

      • (john and doe) or smith
      • (john) and (doeor smith)
      • john (doe| smith)
      • (john | jane )( doe| smith)
      • (pass or fail | warning | success) loginsecurity

     

    Here is another example that demonstrate how Boolean operators could be used for advanced searching:

      • (10.75.117.43 or 10.75.117.44) and admin and (22 or 443 or 80) and (((Fail and (username or password)) or (Warning and expiring))

     

    This is an example of an invalid syntax:

      • john and doe or smith

     

    In addition, it is important to emphasize the syntax differences between term and like/contains searching. This is particularly relevant because we want to utilize the fastest searching method available. Here is a list of examples that show the searching syntax implementation in ELS:

     

     

      • "lela" <exact match, explicit term search>
      • lela <exact match, implicit term search>
      • *lela* <any string that contains >
      • lela*        <any string that starts with>
      • *lela <any string that ends with>