Searching Data
The data stored in repositories in LogScale can be searched — that's its main point and value. Searches are primarily done through the User Interface from the
page (available when a repository is selected).The following provides links to pages which explain what you can do when searching.
Basic Search Items
The following listed linked pages are related to the basics of searching a repository.
LogScale's search functionality using the Query editor allows for robust, fast regex searches of server logs and metrics in your repositories. As a first step to searching data, you enter a query in the query editor. This linked page covers this essential component of the User Interface.
For each data record in a repository, each event is parsed into multiple fields for easy sorting and searching. This linked page explains the fields available.
Whenever a repository is searched, status information on that search is displayed in the Status bar (bottom line of LogScale's User Interface). This linked page explains those statuses.
Better Search Results Display
The default way in which search results are displayed is usually adequate — especially when first constructing a query.
The following listed linked pages provide information on how to improve the way the results are displayed.
In the UI, there are several event fields listed on which you may search. This linked page explains the Field Panel for a repository.
You can add, eliminate, and reorder the field columns in search results. You can also reformat the contents of those columns for a more meaningful display.
Search results are ingested as text and, therefore, as default displayed as text. You can easily change the display for search results to show the data in a variety of ways, including graphs, pie charts, and other graphics.
Events are displayed in the search results in a specific way, in a specific order. You can change how results are displayed, though.
Refining Search Results
You do not have to accept data as it comes, as the data is stored in the repository.
The following listed linked pages explain how you can refine search results.
When searching a repository, you can select fields to search. You can also select fields on which to filter the results.
For a more simplified display that is easier to review, you can select which fields in a query results to display — and which to hide.
Search results are for a specific time interval: such as, the past day, the past month, other time ranges. Instead of static data, you can also display data for a time interval that includes the current moment, known as live data.
Data is ingested into LogScale with a time stamp for each event. Those time stamps are for a specific time zone, but the time zone can be changed in your search results.
Searching Deeper
Without refining or rerunning a search, you can get more information from a search that appears on the surface.
The following listed linked pages explain how to go deeper into search results.
When you search a repository, you get a list of events in the Results panel. You can click on a specific event in the Event list to get more details in the Inspection panel (that appears below the Results panel when a specific event is selected from the Event list).
You can have a detail view in context of a single event and search for value matches with a different time interval.
You may find the search results fairly limited. Depending on your user permission, it is possible to interact with the results to reveal much more information. This linked page provides details and illustrations on how to create event list interations.
In the Results panel, Fields panel, and Inspection panel, you can click the
⋮ icon for a field to get a list of interaction options.
Implementing Field Aliasing in your workflow simplifies data correlation from various sources. You can provide alternative names — or aliases — to fields created at parse time, across a view, or the entire organization.
Saving & Exporting Searches
Search queries can be saved for future use and search results can be exported.
The following listed linked pages provide information about the different saving options and export formats.
Besides search queries, also dashboard widgets and scheduled searches can be saved. As it can take some time to construct a search query and if used often, saving searches and different dashboards for reuse is time saving.
Search results can be exported to a file for use in another application. This linked page explains how to export the results as they are, to a plain text file. It also explains how to export to a file in CSV, Newline delimited JSON, or JSON format.