Log Management
      Back to home
      1. Radiant Help Center
      2. FAQs & Troubleshooting
      3. Log Management

      Crafting search queries in Log Management

      Learn how to effectively query Log Management to filter and sort through log data to find the information you need.

      Radiant Security’s Log Management module provides a powerful, scalable log search engine for efficient retrieval of hosted with Bring Your Own Bucket log data. Designed for security professionals investigating incidents, detecting threats, and monitoring activities, it enables fast searches through vast log data with rapid indexing and an intuitive, log-specific query syntax.

      In this guide, you’ll learn how to craft search queries to find the log data you need. You’ll:

      • Construct basic queries
      • Use advanced techniques like range, wildcard, and proximity searches
      • Search for security logs with common examples

      Table of Contents

      1. Basic Syntax
      2. Group Queries
      3. Range Queries
      4. Wildcard Searches
      5. Phrase Searches
      6. Fuzzy Searches
      7. Proximity Search

      Note: Radiant Security’s Log Management functionality uses a syntax similar to Lucene.

      Basic Syntax

      Keyword Search

      The simplest way to search is to enter keywords. For example:

      msedge.exe

      This query searches for logs containing the word msedge.exe anywhere in the fields.

      Field-Specific Search

      To narrow your search to specific fields, use key-value pairs in the following format:

      field_name: "value"
      process.name: "chrome.exe"

      This query uses the key process.name to filter for logs that contain the value chrome.exe. Enclosing the search term within quotation marks searches for logs that contain the exact phrase: chrome.exe.

      Boolean Logic

      Combine multiple conditions using Boolean operators such as:

      • AND: Ensures all conditions are met.
      • OR: Matches if at least one condition is met.
      • NOT: Excludes results that match the condition.
      endpoint.name: "SRV001" AND process.name: "chrome.exe"

      This query uses the Boolean AND to search for logs where the endpoint.name is named SRV001 and the process.name is running chrome.exe.

      Group Queries

      Use parentheses () to group conditions for complex logic:

      ((src.process.name: "powershell.exe" OR tgt.process.name: "cmd.exe") AND user.name: "Administrator") NOT event.category: "file"

      This query uses multiple Boolean operators OR, AND , and NOT . The parentheses group conditions to define the logical ordering. They ensure that the OR operator between src.process.name: "powershell.exe" and tgt.process.name: "cmd.exe" is evaluated first, before combining it with the AND condition for user.name: "Administrator".

      Range Queries

      Search for logs whose field values are inclusive or exclusive of the upper and lower bounds.

      • Inclusive: Includes both the lower and upper bounds in the search results. Inclusive range queries are denoted by square brackets [...]. For example:

        bytes_sent: [100 TO 1000]

        This query searches for events where the bytes_sent field has a value between [100 TO 1000], inclusive. This means it will match all records where the bytes_sent value is 100, 1000, or any number in between.

      • Exclusive: Excludes the lower and upper bounds in the search results. Exclusive range queries are denoted by curly brackets {...}. For example:

        rs_connectorType:ms365_exo_reporting AND Size:{20000 TO 50000}

        This query searches for logs from a specific rs_connectorType:ms365_exo_reporting where the Size field has a value greater than 20000 and less than 50000.

      Wildcard Searches

      Wildcards * are operators that allow for partial matches. For example:

      rs_connectorType:ms365*

      This query matches any rs_connectorType that begins with ms365.

      Phrase Searches

      To search for an exact phrase, enclose the phrase within quotation marks “”:

      "process creation"

      Fuzzy Searches

      Fuzzy search finds terms that are similar to the search keyword by allowing for minor differences, such as typos or spelling variations, using a tilde ~.

      process.name: "chrom~"

      Specific Distance Search

      Control the level of fuzziness in a fuzzy search by specifying a number (0, 1, or 2) after the tilde ~, where:

      • 0 allows no edits (exact match).
      • 1 allows one edit (e.g., one character change, addition, or deletion).
      • 2 allows up to two edits for a match.

      For example:

      process.name: "chrom~2"

      chrom~2 allowing up to two character edits from the term chrom.

      Proximity Search

      Search for words within a specific distance of each other:

      "failed login"~5

      This query searches for occurrences where the words "failed" and "login" appear within 5 words of each other. This helps to locate phrases even if the words are not immediately adjacent but still close within the defined distance.


      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 


      Last updated: 2025-01-13