The Logger schema contains a predefined set of fields. You can add fields that are relevant to the events you collect on your Logger to its schema. A field-based search can only contain fields in Logger’s schema. Adding Fields to the Schema.
The Logger indexing capability allows schema fields to be indexed. Logger’s search operation and reports utilize the indexed fields to yield significant search and reporting performance gains. Although you can include both indexed and non-indexed fields to a search query, search and reporting performance will be much faster if all fields in a query are indexed. For more information and a list of fields you can index, see Indexing.
You can specify multiple field conditions in one query expression by using the listed operators between them. The conditions can be nested; for example:
(name=“John Doe” OR name=“Jane Doe”)AND message!=“success”
Note: If a query includes the Boolean operator OR and the metadata identifiers (discussed in Constraints), the expression to be evaluated with OR must be enclosed in parentheses, as shown in this example:
(success OR fail) _storageGroup IN [“Default Storage Group”]
If the expression is not enclosed in parentheses, an error message displays.
Any literal operator in the table can be specified in upper-, lower-, or mixed case. To search for these words as literals in events, enclose them in double quotes (“”). For example:
message CONTAINS “Between”