Understand the Query Syntax

Depending on the type of search you create, your query must meet the requirements listed in the following table. Search treats a comma (,) between search items and values as an OR operator. Additionally, there is a list of reserved words that must be enclosed in quotes (" ") to ensure the system correctly parses the query.

If you do not get the search results you expect, you might need to restate the query. For example:

If the query is written with spaces, only the first word is shown in the results. A better way to write the query statement is to use explicit phrasing without any spaces.
Queries that filter specific "id" field values (for example, id = "123456789" or id != "123456789") will not return correct results. Create the query without using "id" fields.

By default, search operations are case-sensitive to support faster performance. However, you can instruct the database to support case-insensitive searches. For SaaS deployments, talk to your SaaS Admin about changing the database. For non-SaaS deployments, see the Administrator’s Guide to ArcSight Platform.

When you construct a query, you can include operators, such as eval and lookup, for more robust searches.

You cannot use multiple operators, such as NN and XX, in the same query.

General Syntax Rules
Implicit Operators

General Syntax Rules

Type	Full-text	Field-based	Hashtag (predefined)
Case sensitivity	Case-sensitive	Case-sensitive	Case-insensitive
Exact Match	Keyword treated as keyword*. Example: /Execute matches: /Execute, /Execute/Start, /Execute/Response,/Execute/Query	Enclose value in double quotes. Example: `Category Behavior ="/Execute"`	n/a
Nesting, including parenthetical clauses, such as (a OR b) AND c	Allowed Use boolean operators to connect and nest keywords.	Allowed Use boolean operators to connect and nest keywords.	Allowed Use boolean operators to connect and nest keywords.
Implicit Operators	When you enter two values separated by a space, this is treated as an implicit AND condition. Example: `ssh fail`	The AND/OR treatment depends on the operator used in the search. For example, destinationAddress = 1.1.1.1, 2.2.2.2 is equivalent to destinationAddress = 1.1.1.1 or destinationAddress = 2.2.2.2 , while the query destinationAddress != 1.1.1.1, 2.2.2.2 is equivalent to destinationAddress != 1.1.1.1 and destinationAddress != 2.2.2.2	n/a
List Operations	n/a	Performs an inner join or a left join against a custom list. Syntax for an Inner Join:`source address in list CustomListName_CustomColumn Name` Syntax for a Left Join:`source address not in list CustomListName_CustomColumnName`	n/a
Time Format (when searching for events that occurred at a particular time)	No specific format The query needs to contain the exact timestamp string. Example: `"10:34:35"`	YYYY-MM-DD YYYY-MM-DD HH:mm YYYY-MM-DD HH:mm:ss.fff To narrow the time range, use the following operators: in between (><) greater than (>) less than (<)	n/a
Special Characters: \ * ' "	Use the backslash (\) as an escape character.	Use the backslash (\) as an escape character.	n/a
Wildcard	Can appear anywhere in the value. Examples: log log log Searches for ablog, blog, long, etc.	Can appear anywhere in the field. Examples: name=log Searches for ablog, blog, etc. in name field name=“\log” name=\log Both search for log	n/a
Escape a Wildcard Character	Can search for * by escaping the character. Example: log\*	Can search for * by escaping the character. Example: log\*	n/a

Implicit Operators

Implicit operators form the basic building blocks for query construction. Use them along with other operators and functions to create robust search queries.

To build queries, use the following general operators:

Operator	Alternative Operator	Examples
AND		#Firewall drop and sourceAddress equals 10.0.112.9 sourceAddress equals 10.0.112.9 and destinationAddress = 10.0.116.148
OR		fail OR ssh destinationAddress = 10.0.111.5 OR destinationAddress=10.0.116.148 destinationAddress =10.0.111.5, 10.0.116.48
not equal	<> !=	destinationPort not equal 21
equals	= == is equal to equal	name equals INVALID password device vendor equals CISCO
greater than	> is greater	bytes In greater than 100
less than	< is less is lower less	bytes out less than 1000
greater equal than	>= gte greater equal	End Time greater equal than 2017-07-25 End Time greater equal than 2017-07-25 09:07 End Time greater equal than 2017-07-25 09:07:43 End Time greater equal than 2017-07-25 09:31:22.685
less equal than	<= lte less equal	Base Event Count less equal than or equal 50
starts with	startwith	message starts with FIN
does not start with		name does not start with FIN
ends with	endswith	message ends with out
does not end with		message does not end with out
contains	contain like has substring	name contains TCP
does not contain	does not have	name does not contain TCP
in list	match in list of	device vendor equals CISCO and source address in list customListName_customColumnName device vendor equals CISCO and source address in list badGuyIpList_badGuyIp
not in list	not match not in list of	source address not in list customListName_customColumnName source address not in list badGuyIpList_badGuyIp
in subnet	n/a	source address in subnet 10.0.0.0/8
not in subnet	n/a	source address not in subnet 10.0.0.0/8