Understand Search Queries

You must have the Manage Search Queries permission.

A search query is a set of conditions used to select events when you run a search. For example, you can enter a very simple term to match such as “login” or an IP address. Alternatively, you can specify a complex query to match events that include multiple IP addresses and reference a lookup list. In the search query, you can enter the alias, or abbreviated term, for a field name rather than entering the full name. You can also use the presentable field names, such as Agent Address.

Your query input determines the search type: full text, natural language, or contextual. As you specify the fields and values for the query, Search suggests search items and operators based on a schema data dictionary.

Search provides default queries, labeled as system. However, you can save your own queries, which you can load into another search. You have the option to clone, modify, or remove a saved query at any time.