select
The select command is used to scan raw events from indices based on keywords or terms. It will likely be the most common command you use and will be the first command in most searches.
It will automatically check if events are valid JSON and parse the 1st level of keys as fields. It will also run any per-index extraction logic to extract additional fields from the event.
Syntax
The select command may be followed by multiple index arguments structured like this:
systemd(foo bar)
The search terms are a space separated list of keywords or terms to match against the raw event data. An event must contain all of the search terms in order for it to be returned.
For the example above, the systemd index will be searched and only events containing both foo and bar tokens will be returned.
The select command will automatically break the contents between () into appropriate tokens, so you can use spaces or not as you see fit. It will also automatically strip symbols from the search terms with the exception that any nested open parentheses must also be followed by correpsonding closing parentheses.
An index argument that contains a quoted string will only match events containing that exact phrase, symbols included. For example:
systemd("foo:bar")
will only return events containing the exact text foo:bar, while
systemd(foo:bar)
will return any event containing both foo and bar as it will be broken into two separate tokens and remove the symbol.
Duplicate index arguments
If a select command contains multiple instances of the same index argument, each argument will proccessed independently resulting in duplicate events being returned. For example:
| select systemd(foo bar) systemd(foo bar)
will return all events containing foo and bar twice.
Because of this behaviour, be careful when using mulitiple index arguments for the same index as it may result in duplicated events being returned if events are matched by multiple key words or terms.
Example
| select systemd(foo bar) syslog("complex_literal:with-other.stuff")