search

This command is experimental

Definition

search retrieves data from one or more datasets. You can use keywords, wildcards, quoted phrases and expressions to get results from a dataset.

Examples

The simplest way to do a search is to define with index from which dataset to retrieve data. The part of command in parentheses is optional.

%dpl
(| search) index=example

At the moment, if the earliest isn’t used, the earliest results that Teragrep will show will be from the beginning of previous midnight. This will be changed to be compatible in the future.

You can use wildcards to search from multiple datasets at the same time. However, we don’t recommend doing index=* search since it’s prone to slow down the performance with big data masses.

index=join* earliest=2021-01-01T00:00:00.000+03:00
example of wildcard search with index

Keywords

You can add one or more keywords in your search. The keyword or keywords will only search from _raw table column.

%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00 18 Alice
%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| search 18 Alice
example of keywords

To make a literal search, add quotation marks around the keyword.

%dpl
index=example earliest=2020-01-01T00:00:00.000+03:00 "38.42"
%dpl
index=example earliest=2020-01-01T00:00:00.000+03:00
| search "38.42"
example of literal keyword search

Searching from Table Columns

To search results from other table columns than _raw, use <column-name>=<keyword>.

%dpl
index=join* earliest=2021-01-01T00:00:00.000+03:00 offset=1
%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| search offset=1
example of column search

Earliest and Latest

At the moment, if the earliest isn’t used, the earliest results that Teragrep will show will be from the beginning of previous midnight. This will be changed to be compatible in the future.

You can set a date range for your search by using either earliest, latest or both. The default time format is ISO 8601.

index=example earliest=2021-01-01T00:00:00.000+03:00 latest=2021-12-31T23:59:00.000+03:00
example of earliest and latest filters

In search command, earliest is inclusive and latest exclusive. This means that latest must have bigger value than earliest so the search works as wanted.

Less-Than and Greater-Than Comparisons

You can search results that are less or greater than defined value.

%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| spath
| search count<30
Currently, less-than and greater-than comparisons don’t work in Teragrep. This will be fixed before the community release.

OR and AND

By using OR, you can return results that matches with either criteria.

%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| spath
| search user=Carlos OR user=Bob
example of OR search

By using AND, you can return results that matches with both criteria.

%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| spath
| search user=Carlos AND target=Bob
example of AND search

NOT and != Comparisons

You can exclude a value by using either NOT or !=.

%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| spath
| search user!=Carlos
%dpl
index=join_json_one earliest=2021-01-01T00:00:00.000+03:00
| spath
| search NOT user=Carlos
examples of NOT and !=