How to Search in Alerting

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot-separated.

Examples:

action.type: SLACK
ruleSeverity: HIGH
ruleName: rule1*

String Matching

Use single or double quotes around your query to match a string with more than one word.

Examples:

updatedById: "jsmith"
aggregationGroup: `hostname`
action.emailRecipient: "[email protected]"
If you want to search for the exact count, use an asterisk (*). Find rule names starting with rule1 use:
ruleName: rule1*

Wildcards can only be used for prefix and suffix matching. We do not support sub-string wildcards, which means you cannot search for a string in the middle of another string.

Exact Matching

Use backticks to exactly match a string. Your results will include any alert with the EXACT value returned.

Examples:

ruleName: `my first rule`
createdById: `jsmith`

Full-Text Search

Many alerting fields containing text allow you to use full-text and advanced search capabilities. We'll perform the broadest search if your query does not include single or double quotes.

Examples:

Find rules with name
ruleName: my first rule
Find rules that contain parts of the name
ruleName: "my first rule"
Find rules that match the exact value
ruleName: `my first rule`

Suffix matching

Suffix matching is supported. Match result values "ending in" a string you specify - using a string that starts with *. Matches are case-sensitive.

Example:

This query matches results with a rule name ending in Rule," like ActivityRule, XYZ Rule.
name:*Rule

Prefix matching

Prefix matching is supported when searching alerting tokens using specific text fields. Match rule values "starting with" a string you specify - using a string that ends with *. Matches are case-sensitive.

Examples:

This query matches a rule name starting with "Rule" like Rule1, Rule – Active, etc
ruleName:Rule*
This query matches rules with rules descriptions starting with "this,"
ruleDescription: this*

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

interfaces.address and software.version are text fields and not numeric fields). You cannot perform range searches for these. See String matching to search text fields.

Examples:

Greater than but not equal to 123 and less than but not equal to 1234.
matches:(123 .. 1234)
Greater than but not equal to 123 and less than or equal to 1234.
matches:(123 .. 1234]
Greater than or equal to 123 and less than but not equal to 1234.
matches:[123 .. 1234
Greater than but or equal to 123 and less than or equal to 1234.
matches:[123 .. 1234
Greater than 123.
matches > 123
Greater than or equal to 123.
matches >= 123
Less than 1234.
matches < 1234
Less than or equal to 1234.
matches <= 1234
Between January 1st and April 1st 2018.
statusDate: [2018-01-01 .. 2018-04-01

Date Searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Examples:

statusDate:"2018-11-20"
statusDate <= "2018-10-20"
statusDate:["2018-11-20" .. "2018-11-24"]
statusDate:[now-3d .. now-1s]

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search.

Examples:

NOT status:ERROR AND createdById:jsmith
matches>3 AND (status:RETRYING OR status:ERROR)

Nested Queries

As per the example below, use a single nested query, using parentheses to include multiple fields in your query.

Example:

action:(Message:to operations team AND name:Rule1*)

Query Limits

Maximum query length allowed: 4096 characters
Maximum field value length allowed: 256 characters
Good to know:
- If your query exceeds a limit, an error message is shown, and you won't get search results.
- These query limits apply to queries created using these apps: AV, TP, CA, and VM dashboard.
- Spaces in between characters are counted as characters.