Search the repositories and work with fields in the User Interface.
The data stored in repositories in LogScale can be searched — that's its main point and value. Searches are primarily done through the User Interface. However, the UI and how to take advantage of all that it offers related to searches, can be confusing.
The list below provides links to pages which explain what you can do when searching. They're loosely grouped.
Basic Search Items
The pages referenced below are related to the basics of searching a repository. Click on the heading for something of interest to you.
As a first step to searching data, you'll probably enter a query in the search box of the User Interface. This page covers this essential component of the UI.
For each data record in a repository, each event is parsed into multiple fields for easy sorting and searching. This page explains the fields available.
Whenever a repository is searched, at the bottom of the UI you'll see status information on that search. This linked page explains those stats.
Better Search Results Display
The default way in which search results are displayed is usually fine — especially when first constructing a query. But you may want eventually to improve how the results are displayed. The pages linked below will tell you how:
In the UI, there are several event fields listed on which you may search. The page linked here explains the Field Panel for a repository.
You can add, eliminate, and reorder the field columns in your search results. You can also reformat the contents of those columns for a more meaningful display. Click on the heading here to learn more.
Your results will be highlighted based on the filters applied in queries. This helps you identify where in the event text a query matches the results.
While all search results can be displayed as text – that's how it's ingested – you can easily change the display for search results to show the data in a variety of ways, including graphs, pie charts, and other graphics.
Events are displayed in the search results in a particular way, in a particular order. You can change how results are displayed, though. See the linked page for more on this.
Refining Search Results
You don't have to accept data as it comes, as it's stored in the repository. The pages listed below will explain how you can refine your search.
When searching a repository, you can select fields to search. You can also select fields on which to filter the results. Click the heading here for more.
For a more simplified display that's easier to review, you can select which fields in a query results to display — and which to hide.
Search results are for a specific time frame: such as, the past day, the past month, other other time ranges. You can also display data for a time range that includes the current moment, known as live instead of static data. This linked page explains how to change the time frame of a search.
Data is ingested into LogScale with a time stamp for each event. Those time stamps are for a particular time zone, but can be changed in your search results. This page shows how to make that change.
Without refining or rerunning a search, you can get more information from a search that appears on the surface. The linked pages listed below will explain how to go deeper into search results.
When you search a repository, you'll see a list of events. If you click on one in the main Event List pane, you'll see more details in the Inspection Panel. This linked page explains that panel.
You may find the search results fairly limited. Fortunately, you can interact with the results to reveal much more information. This page provides plenty of details and illustrations on how to do that.
In the Event List, Fields Panel, and Inspection Panel of the UI, you can click the ⋮ icon for a field to get a list of interaction choices. This page gives more details.
Implementing Field Aliasing in your workflow simplifies data correlation from various sources. You can give alternative names — or aliases — to fields created at parse time, across a view, or the entire organization. This page gives more details.
Saving & Exporting Searches
There are situations in which you'll want to save you searches. And sometimes you may want to export your search results to a file. These topics are covered on the pages in the list below.
It can be tedious to construct a search query. When you get a query the way you want – especially one that you may use often – you might want to save it. Click on the heading here to learn how to do this.
Although LogScale's UI is well designed and works well, you may want to export search results to a file for use in another application. This linked page explains how to export the results as they are, to a plain text file. It also explains how to export to a file in CSV or JSON format.