Updated on 2024-02-28 GMT+08:00

Phrase Search

Phrase search is used to precisely match the target phrase. For example, the search statement abc def matches all logs that contain both abc and def regardless of the sequence. For details about the differences between phrase search and keyword search, see Table 1.

  • Phrase search: It is implemented based on the keyword search syntax. Phrase search can distinguish the sequence of keywords and is used to accurately match target phrases, making the search result more accurate. Phrase search is applicable to English phrases and Chinese phrases, but cannot be used together with fuzzy search.
  • Keyword search: Keyword search is implemented based on word segmentation. Delimiters are used to split the search content into multiple keywords for log matching. Keyword search does not distinguish the sequence of keywords. Therefore, as long as a keyword can be matched in a log based on the AND or NOT logic, the log can be found.
    Table 1 Differences between two search modes

    Search Mode

    Phrase Search

    Keyword Search

    Differences

    Distinguishes the sequence of keywords and is used to accurately match target phrases, making the search result more accurate.

    Does not distinguish the sequence of keywords. The keyword is matched based on the search logic.

    Examples

    Assume that your log stream contains the following two raw logs:

    • Raw log 1: this service is lts
    • Raw log 2: lts is service

    If you search for the phrase #"is lts", one log is matched.

    If you search for the keyword is lts, two logs are matched.

    If you search for the phrase #"lts is", one log is matched.

    If you search for the keyword lts is, two logs are matched.

    This function is available only in regions AF-Johannesburg, AP-Singapore, CN-Hong Kong, CN East-Shanghai1, LA-Mexico City1, LA-Mexico City2, LA-Santiago, and LA-Sao Paulo1.

Search Syntax

Table 2 Search Mode

Search Mode

Description

Full-text search

  • #"abc def"
  • content:#"abc def"
NOTE:

content is a built-in field corresponding to the original log text. #"abc def" is equivalent to content:#"abc def" and matches the original log content by default.

Field Search

key:#"abc def"

NOTE:
  • The value cannot be empty.
  • When field search is used together with the not operator, logs that do not contain this field are matched.

Restrictions

  • Fuzzy search cannot be used together with phrase search.

    The asterisk (*) and question mark (?) in phrase search are regarded as common characters. Therefore, phrase search does not support fuzzy search and can be used to search for the asterisk (*) and question mark (?) in logs.

  • Phrase search does not support search by delimiter.

    For example, in the search statement #"var/log", / is a delimiter. The search statement is equivalent to #"var log", and is used to search for logs containing the target phrase var log. Similarly, search statements such as #"var:log" and #"var;log" are used to search for logs that contain the target phrase var log.

  • Phrase search is recommended for search in Chinese.

    By default, unary word segmentation is used for Chinese characters. Each Chinese character is segmented separately. During the search, logs that contain each Chinese character in the search statement are matched, which is similar to fuzzy search. When more accurate results are required, phrase search is recommended.

Example

Table 3 Search description

Search Requirement

Search Statement

Logs in which the value of User-Agent contains the phrase Mon, 17 Apr 2023.

User-Agent:#"Mon, 17 Apr 2023"

Logs in which the value of User-Agent contains the phrase Mozilla/5.0.

User-Agent:#"Mozilla/5.0"

Logs in which the value of week contains the phrase Monday.

week:#"Monday"