# Craft search queries in Log Management Radiant Security’s Log Management module provides a powerful, scalable log search engine for efficient retrieval of hosted with [Bring Your Own Bucket](/log-management/bring-your-own-bucket-byob/bring-your-own-bucket-for-log-management.md) log data. Designed for security professionals investigating incidents, detecting threats, and monitoring activities, it enables fast searches through vast log data with rapid indexing and an intuitive, log-specific query syntax. In this guide, you’ll learn how to craft search queries to find the log data you need. You’ll: * Construct basic queries * Use advanced techniques like range, wildcard, and proximity searches * Search for security logs with common examples {% hint style="info" %} **Note:** Radiant Security’s Log Management functionality uses a syntax similar to Lucene. {% endhint %} ### Basic Syntax **Keyword Search** The simplest way to search is to enter keywords. For example: ``` msedge.exe ``` This query searches for logs containing the word `msedge.exe` anywhere in the fields. ### **Field-Specific Search** To narrow your search to specific fields, use key-value pairs in the following format: ``` field_name:"value" ``` ``` process.name:"chrome.exe" ``` This query uses the key `process.name` to filter for logs that contain the value `chrome.exe`. Enclosing the search term within quotation marks searches for logs that contain the exact phrase: `chrome.exe`. ### **Boolean Logic** Combine multiple conditions using Boolean operators such as: 1. `AND`: Ensures all conditions are met. 2. `OR`: Matches if at least one condition is met. 3. `NOT`: Excludes results that match the condition. ``` endpoint.name:"SRV001" AND process.name:"chrome.exe" ``` This query uses the Boolean `AND` to search for logs where the `endpoint.name` is named `SRV001` and the `process.name` is running `chrome.exe`. ### Group Queries Use parentheses `()` to group conditions for complex logic: {% code overflow="wrap" %} ``` ((src.process.name:"powershell.exe" OR tgt.process.name:"cmd.exe") AND user.name:"Administrator") NOT event.category:"file" ``` {% endcode %} This query uses multiple Boolean operators `OR`, `AND` , and `NOT` . The parentheses group conditions to define the logical ordering. They ensure that the `OR` operator between `src.process.name:"powershell.exe"` and `tgt.process.name:"cmd.exe"` is evaluated first, before combining it with the `AND` condition for `user.name:"Administrator"`. ### Range Queries Search for logs whose field values are **inclusive** or **exclusive** of the upper and lower bounds. 1. **Inclusive**: Includes both the lower and upper bounds in the search results. Inclusive range queries are denoted by square brackets `[...]`. For example: ``` bytes_sent:[100 TO 1000] ``` This query searches for events where the `bytes_sent` field has a value between `[100 TO 1000],` inclusive. This means it will match all records where the `bytes_sent` value is 100, 1000, or any number in between. 2. **Exclusive**: Excludes the lower and upper bounds in the search results. Exclusive range queries are denoted by curly brackets `{...}`. For example: ``` rs_connectorType:ms365_exo_reporting AND Size:{20000 TO 50000} ``` This query searches for logs from a specific `rs_connectorType:ms365_exo_reporting` where the `Size` field has a value greater than `20000` and less than `50000`. ### Wildcard Searches Wildcards `*` are operators that allow for partial matches. For example: ``` rs_connectorType:ms365* ``` This query matches any `rs_connectorType` that begins with `ms365`. #### Phrase Searches To search for a phrase with a space, enclose the phrase within quotation marks `“”`: ``` "process creation" ``` ### Proximity Search Search for words within a specific distance of each other: ``` "failed login"~5 ``` This query searches for occurrences where the words `"failed"` and `"login"` appear within `5` words of each other. This helps to locate phrases even if the words are not immediately adjacent but still close within the defined distance. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/log-management/log-search-and-query/craft-search-queries-in-log-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.