Search Query Syntax
In addition to restricting output to a fixed time period, you can search the recorded events using Boolean query expressions. Certain predefined fields are always indexed for each and every event. These predefined fields can always be referenced in search queries. In addition to these predefined fields, all the elements in events are also indexed and searching these fields is possible. You can combine both, manually specified search queries and the above-mentioned time period restrictions, to further filter the results.
To search using field names or element names, specify a query expression in this format:
<name>=<value>
To match the previous value of an element, add the "_old" suffix to the element name:
<name>_old=<value>
If a value contains whitespaces or colons, you must put the whole name/value pair between double quotation marks:
"<name>=this value contains spaces"
"<name>=abc:xyz"
If a value contains double quotation marks, you must use backslashes to manually ‘escape’ the quotation mark characters:
"<name>=this value contains the \" character"
To create arbitrarily nested Boolean query expressions, use AND, OR, NOT, and parentheses:
<name_a>=x AND (<name_b>=y OR <name_b>=z)
<name_a>=x NOT <name_b>=y
Predefined fields
This table shows the predefined fields:
| Predefined field | Description |
|---|---|
| from | The name of the publisher that posted the event. |
| to | The name of the subscriber that received the event. |
| serverTime | The time the Event Hub server received the event. |
| publisher | The name of the publisher as stated in the event itself. |
| document | The document name of the event. |
| operation | The operation of the event. |
| clientTime | The time the publisher posted the event. |
| trackingId | The tracking id of the event. |
| duplicateId | A unique identifier attached to the event when transferring between a publisher and a subscriber. |
| serverId | A server internal id attached to the event, unique until the server is restarted. |
Example
To search for all item master create and update events with status 20 (released) sent from M3 to Event Analytics, specify this expression:
from=M3 AND to=EventAnalytics AND document=MITMAS AND (operation=CREATE OR operation=UPDATE) AND STAT=20