16.1.4. Using the content search

To most effectively search in the contents of the audit trails, make sure that the following prerequisites are met:

  • Indexing was enabled in the connection policy related to the audit trail during the session, and

  • the audit trail has already been indexed.

If the previous prerequisites are met, you can use the following in content search:

  • wildcards

  • boolean expressions

  • search in the commands of terminal connections (for example, command:"sudo su")

  • search in the window titles of graphical connections (for example, title:settings)

The following sections provide examples for different search queries.

For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.

Searching for exact matches

By default, PSM searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Section Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Example 16.1. Searching for exact matches
Search expression example
Matchesexample
Does not match

examples

example.com

query-by-example

exam

To search for an exact phrase, enclose the search keywords in double quotes.

Search expression on the web interface "example command"
Search expression on the REST API %22example%20command%22
Matchesexample command
Does not match

example

command

example: command

To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).

Search expression on the web interface C\:\\Windows
Search expression on the REST API C%5C%3A%5C%5CWindows
Matches

C:\Windows

Combining search keywords

You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,

Example 16.2. Combining keywords in search
Search expression on the web interface keyword1 AND keyword2
Search expression on the REST API keyword1%20AND%20keyword2
Matches(returns hits that contain both keywords)
Search expression on the web interface keyword1 OR keyword2
Search expression on the REST API keyword1%20OR%20keyword2
Matches(returns hits that contain at least one of the keywords)
Search expression on the web interface "keyword1 keyword2" NOT "keyword2 keyword3"
Search expression on the REST API %22keyword1%20keyword2%22%20NOT%20%22keyword2%20keyword3%22
Matches(returns hits that contain the first phrase, but not the second)
Search expression on the web interface +keyword1 keyword2
Search expression on the REST API %2Bkeyword1%20keyword2
Matches(returns hits that contain keyword1, and may contain keyword2)

To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".

Example 16.3. Using parentheses in search

Use parentheses to create more complex search expressions:

Search expression on the web interface (keyword1 OR keyword2) AND keyword3
Search expression on the REST API %28keyword1%20OR%20keyword2%29%20AND%20keyword3
Matches(returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3)

Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Example 16.4. Using wildcard ? in search

The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.

You cannot use a * or ? symbol as the first character of a search.

Search expression on the web interface example?
Search expression on the REST API example%3F
Matches

example1

examples

example?

Does not match

example.com

example12

query-by-example

Search expression on the web interface example??
Search expression on the REST API example%3F%3F
Matches

example12

Does not match

example.com

example1

query-by-example

Example 16.5. Using wildcard * in search

The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.

Search expression on the web interface example*
Search expression on the REST API example%2A
Matches

example

examples

example.com

Does not match

query-by-example

example*

Example 16.6. Using combined wildcards in search

Wildcard characters can be combined.

Search expression on the web interface ex?mple*
Search expression on the REST API ex%3Fmple%2A
Matches

example1

examples

example.com

exemple.com

example12

Does not match

exmples

query-by-example

Searching for special characters

To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Example 16.7. Searching for special characters

To search for a special character, use a backslash (\).

Search expression on the web interface example\?
Search expression on the REST API example%5C%3F
Matches

example?

Does not match

examples

example1

To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).

Search expression on the web interface C\:\\Windows
Search expression on the REST API C%5C%3A%5C%5CWindows
Matches

C:\Windows

To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).

Search expression on the web interface \/var\/log\/messages
Search expression on the REST API %5C%2Fvar%5C%2Flog%5C%2Fmessages
Matches

/var/log/messages

Search expression on the web interface \(1\+1\)\:2
Search expression on the REST API %5C%281%5C%2B1%5C%29%5C%3A2
Matches

(1+1):2

Searching in commands and window titles

For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].

You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.

Example 16.8. Searching in commands and window titles
Search expression on the web interface command:"sudo su"
Search expression on the REST API command%3A%22sudo+su%22
Matches

sudo su as a terminal command

Does not matchsudo su in general screen content
Search expression on the web interface title:settings
Search expression on the REST API title%3Asettings
Matches

settings appearing in the title of an active window

Does not matchsettings in general screen content

To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.

Search expression on the web interface properties AND NOT title:[* TO *]
Search expression on the REST API properties%20AND%20NOT%20title%3A%5B%2A%20TO%20%2A%5D
Matches

properties appearing in the screen content, but not as a window title.

Does not matchproperties in window titles.

You can also combine these search filters with other expressions and wildcards.

Search expression on the web interface title:properties AND gateway
Search expression on the REST API title%3Aproperties%20AND%20gateway
Matches

A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title).

Does not match

Screens where both properties and gateway appear, but properties is not in the window title.

Searching for fuzzy matches

Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.

Example 16.9. Searching for fuzzy matches
Search expression on the web interface roam~
Search expression on the REST API roam%7E
Matches

roams

foam

Proximity search

Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.

Example 16.10. Proximity search
Search expression on the web interface "keyword1 keyword2"~10
Search expression on the REST API %22keyword1%20keyword2%22%7E10
Matches(returns hits that contain keyword1 and keyword2 within 10 words from each other)

Adjusting the relevance of search terms

By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.

Example 16.11. Adjusting the relevance of search terms
Search expression on the web interface keyword1^4 keyword2
Search expression on the REST API keyword1%5E4%20keyword2
Matches(returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant)
Search expression on the web interface "keyword1 keyword2"^5 "keyword3 keyword4"
Search expression on the REST API %22keyword1%20keyword2%22%5E5%20%22keyword3%20keyword4%22
Matches(returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5-times more relevant)