Save and manage searches
SolarWinds Observability provides you with the ability to save the search criteria you use in searches performed in the various explorers. If you want to run the same search at another time, saving the search eliminates the need for you to remember the exact criteria you used. Your saved searches are easily accessed within the same explorer where you originally created the search.
Saved searches can be used by other members of your organization, which can improve efficiency, but can be set to private, if needed.
Save a search
When conducting a search, enter the desired search criteria in the search field and press Enter. Anything meeting the search criteria is displayed. Within the list, check the check boxes next to the items you want to compare.
To save the search, click the Saved Searches folder icon (
) and then click Save Search. Once saved, the name of your search is available at the bottom of the Save Searches panel.
In order to use your saved search, you must be in the same explorer you were in when you created and saved the search. Click the folder icon in the search field and then click the name of your search.
Manage searches
To view, edit, or delete existing saved searches, go to the left-hand navigation and click Settings > Saved Searches.
The Saved Searches page lists all searches you can access, which includes all the searches you saved as well as any public searches saved by other members of your organization.
The Scope column shows the explorer where the search was created, which is also where the search is available for use.
The search query can be constructed using the following operators:
| Operator | Search results |
|---|---|
| term1 | containing term 1 |
| term1 and term2 | containing both term1 and term2 |
| term1 or term2 | one or more from either term1 or term2 (exclusively) |
| ~term1 | a partial match |
| !~term1 | exclude a partial match (negation) |
| (term1, term2, term3) OR (term4, term5, term6) | one group of terms or other group of terms |
Attributes in SolarWinds Observability are used in key:value fashion. An example search that constrains results to those from the ssh program containing “something bad” but not “noise”, or those with an error severity, is:
("something bad" program:ssh -noise) OR severity:error
It is possible to include more than one valid value for an attribute. Messages matching either one (OR) are returned:
program:(raid5toolsethtool)
Severity and facility attributes are those from the syslog specification. If severity is a part of the displayed log message, use a text search like error or INFO to find those messages.
Use attributes:
-
To constrain matching to only a single field, either to eliminate false positives or search less data (and increase speed)
-
To search facility or severity, which are not normally examined
Attributes and attribute-less constraints can be used together, and can be combined with negation.
All attributes except message can only have a single value per message, so AND is never relevant. Because of this, all attributes default to OR, as in the program: example above. Program:(a b) means program:(a OR b).
You can use the following operators when searching for attributes:
| Operator: | Search results: |
|---|---|
| key IS EMPTY | all entities without an attribute |
| key IS NOT EMPTY | all entities with an attribute |
| key:value | attribute with an indicated value |
|
key IN (a, b, c) / key:[1, 2, 3] |
attribute's key that is one of the members of the group |
| key NOT in (a, b, c) / key:![1, 2, 3] | attribute's key that is not a member of the group |