# Craft search queries in Log Management Radiant Security’s Log Management module provides a powerful, scalable log search engine for efficient retrieval of hosted with [Bring Your Own Bucket](https://help.radiantsecurity.ai/log-management/bring-your-own-bucket-byob/bring-your-own-bucket-for-log-management) log data. Designed for security professionals investigating incidents, detecting threats, and monitoring activities, it enables fast searches through vast log data with rapid indexing and an intuitive, log-specific query syntax. In this guide, you’ll learn how to craft search queries to find the log data you need. You’ll: * Construct basic queries * Use advanced techniques like range, wildcard, and proximity searches * Search for security logs with common examples {% hint style="info" %} **Note:** Radiant Security’s Log Management functionality uses a syntax similar to Lucene. {% endhint %} ### Basic Syntax **Keyword Search** The simplest way to search is to enter keywords. For example: ``` msedge.exe ``` This query searches for logs containing the word `msedge.exe` anywhere in the fields. ### **Field-Specific Search** To narrow your search to specific fields, use key-value pairs in the following format: ``` field_name:"value" ``` ``` process.name:"chrome.exe" ``` This query uses the key `process.name` to filter for logs that contain the value `chrome.exe`. Enclosing the search term within quotation marks searches for logs that contain the exact phrase: `chrome.exe`. ### **Boolean Logic** Combine multiple conditions using Boolean operators such as: 1. `AND`: Ensures all conditions are met. 2. `OR`: Matches if at least one condition is met. 3. `NOT`: Excludes results that match the condition. ``` endpoint.name:"SRV001" AND process.name:"chrome.exe" ``` This query uses the Boolean `AND` to search for logs where the `endpoint.name` is named `SRV001` and the `process.name` is running `chrome.exe`. ### Group Queries Use parentheses `()` to group conditions for complex logic: {% code overflow="wrap" %} ``` ((src.process.name:"powershell.exe" OR tgt.process.name:"cmd.exe") AND user.name:"Administrator") NOT event.category:"file" ``` {% endcode %} This query uses multiple Boolean operators `OR`, `AND` , and `NOT` . The parentheses group conditions to define the logical ordering. They ensure that the `OR` operator between `src.process.name:"powershell.exe"` and `tgt.process.name:"cmd.exe"` is evaluated first, before combining it with the `AND` condition for `user.name:"Administrator"`. ### Range Queries Search for logs whose field values are **inclusive** or **exclusive** of the upper and lower bounds. 1. **Inclusive**: Includes both the lower and upper bounds in the search results. Inclusive range queries are denoted by square brackets `[...]`. For example: ``` bytes_sent:[100 TO 1000] ``` This query searches for events where the `bytes_sent` field has a value between `[100 TO 1000],` inclusive. This means it will match all records where the `bytes_sent` value is 100, 1000, or any number in between. 2. **Exclusive**: Excludes the lower and upper bounds in the search results. Exclusive range queries are denoted by curly brackets `{...}`. For example: ``` rs_connectorType:ms365_exo_reporting AND Size:{20000 TO 50000} ``` This query searches for logs from a specific `rs_connectorType:ms365_exo_reporting` where the `Size` field has a value greater than `20000` and less than `50000`. ### Wildcard Searches Wildcards `*` are operators that allow for partial matches. For example: ``` rs_connectorType:ms365* ``` This query matches any `rs_connectorType` that begins with `ms365`. #### Phrase Searches To search for a phrase with a space, enclose the phrase within quotation marks `“”`: ``` "process creation" ``` ### Proximity Search Search for words within a specific distance of each other: ``` "failed login"~5 ``` This query searches for occurrences where the words `"failed"` and `"login"` appear within `5` words of each other. This helps to locate phrases even if the words are not immediately adjacent but still close within the defined distance.