Refine your search with filters

Narrow the scope of your search by adding filters that include or exclude events based on specific criteria.

Narrow the scope of your search by adding filters that include or exclude events based on specific criteria. Filtering your data improves search performance by reducing the amount of data being queried, and removes noise from the data so that you can focus on the information that’s most relevant and useful for you.

You can filter data based on time range or field-value pairs. If you’re using the search command, then you can also filter data based on keyword matches. See the following sections for more information:

Filter data by time range

Filter data by specifying a time range using the time range picker in the Search bar or SPL2 module editor to refine search results.

Specifying a narrow time range for your search is a great way to filter the data in your index and to avoid producing more results than you really need.

Use the time range picker in the Search bar or the SPL2 module editor to select the time range of your search.

For example, in the following screenshot of the Search bar, the time range picker is set to a date range that starts on June 25, 2025 and ends on June 27, 2025. When you run the search, it returns events from the main index that occurred within that date range.
This screenshot of the Search page in the Search & Reporting app shows the time range picker when it is open for editing. The time range picker is set to 06/25/2025 at 00:00:00 and 06/27/2025 at 24:00:00.
As another example, in the following screenshot of the SPL2 module editor, the time range picker is set to Last 60 minutes. When you run the search, it returns events from the main index that have timestamps within the last 60 minutes.
This screenshot of the SPL2 module editor in the Search & Reporting app shows the time range picker when it is set to "Last 60 minutes".
Note: If a module contains multiple searches, you can specify different time ranges for each search by adding time modifiers to the search statements. For detailed information about time modifiers, see the Dates and time chapter.

Filter data by field-value pairs

Filter your data for events where a field contains a specific value.

You can filter your data for events where a field contains a specific value.

For example, the following are 6 events where the status field contains HTTP status codes. You can use the field-value pair status=200 to filter for events where the value of the status field is 200. In this case, the search would return 5 events instead of 6.

actioncategoryIdhostquantitystatus

purchase

SPORTS

www2

1

200

purchase

ARCADE

www2

3

200

purchase

SIMULATION

www2

1

200

addtocart

STRATEGY

www2

1

200

purchase

SPORTS

www1

2

200

view

ARCADE

www1

1

404

How you add a field-value pair to your search varies depending on which generating command you’re using.

  • When using the search command, you can enter the field-value pair as is.

  • When using the from command, you must specify the field-value pair as part of a WHERE clause.

    • If the value is a string that contains non-numerical characters, then you must enclose the string value in double quotation marks ( " ).

    • Be aware that values in WHERE clauses are case-sensitive.

The following table shows examples that search the main index and filter for events where the value of the status field is 200:
Example scenarioSearch statement

Using the search command

 
search index=main status=200

Using the from command, starting with the SELECT clause.

 
SELECT * FROM main WHERE status=200

Using the from command, starting with the FROM clause.

 
FROM main WHERE status=200

Filtering with multiple values and partial matches

The field-value pair described in the previous section is a predicate expression that filters data based on an exact 1-to-1 match between the field name and value. You can use different predicate expressions to filter your data in different ways. For example:

  • You can match multiple values from the same field by using the IN operator.

  • You can allow partial matches by using the LIKE operator and the percent sign ( % ). The percent sign ( % ) works as a wildcard character when you use it with the LIKE operator.

    For example, the expression categoryId LIKE("S%") matches categoryId values that start with the letter S followed by 0 or more characters, which would include SPORTS, SIMULATION, and STRATEGY.

  • You can specify multiple field-value pairs and combine them using the logical operators AND, OR, NOT, and XOR.

    Note: In the search command, the AND operator is implied, so you only need to specify an operator when using OR, NOT, or XOR.

For more information about predicate expressions and the operators that SPL2 supports, see Predicate expressions.

The following table shows more varied examples of searches that use predicate expressions to filter the data from the main index:
Example scenarioSearch statement

Using the search command to filter for events where either the value of the status field is 200 or the value of the host field is www2

 
search index=main (status=200 OR host=www2)

An AND operator is implied between the index=main expression and the (status=200 OR host=www2) expression. The following search works exactly the same way as the prior one:

search index=main AND (status=200 OR host=www2)

Using the from command, starting with the SELECT clause, to filter for events where the value of the status field is 200 and the value of the categoryId field is either SIMULATION or STRATEGY

 
SELECT * FROM main WHERE status=200 AND categoryId IN ("SIMULATION","STRATEGY")

Using the from command, starting with the FROM clause, to filter for events where the value of the status field is 200 and the value of the categoryId field starts with the letter S.

 
FROM main WHERE status=200 AND host="www2" AND categoryId LIKE("S%")

Using the point-and-click workflow in the SPL2 module editor

If you are writing your search in the SPL2 module editor, you can use a point-and-click workflow to add a filter to your search. Instead of remembering and manually entering the SPL2 expression for the filter, you can build the filtering criteria by setting GUI options and then automatically add the corresponding SPL2 expression to your search statement.

For example, to filter your data for events where the value in the host field is www1, you can do the following in the SPL2 module editor:

  1. In the Actions panel, select the plus icon (Image of a plus sign) and then select Filter values.

  2. Configure the options in the Add filter dialog box to specify the filtering criteria, which is that the value in the action field must be purchase:

    1. In the Field field, confirm that the drop-down list is set to Field and then enter host.

    2. Confirm that the Action toggle is set to Include.

    3. Confirm that the Operator drop-down list is set to = equals.

    4. In the Value field, enter www1.

  3. Select Apply.

The SPL2 editor adds the filter to your search by appending the following where command to the search statement:

| where host = "www1"
Note: The where command is similar to the WHERE clause of the from command, except that you can use it in conjunction with any generating command. For more information about adding commands to a search statement, see Process your search results. For detailed information about the where command, see where command: Overview, syntax, and usage in the SPL2 Search Reference.

Filter by keywords

Filter your data for events that contain a specific keyword.

If you are using the search command, you can filter your data for events that contain a specific keyword. This keyword can be a single term, or it can be a phrase enclosed in double quotation marks ( " ).

Unlike field-value pair filters, keyword filters check the raw event text for the keyword instead of checking a specified field. You can use both types of filters in the same search.

The following table shows examples of searches that use keywords to filter the data from the main index:
Example scenarioSearch statement

Filter for events that contain both of the words “sports” and “www1”.

search index=main sports www1

Filter for events that contain the words “sports” or “www1”. 

search index=main (sports OR www1)

Filter for events that contain the exact phrase “Hello world”.

search index=main "Hello world"

Filter for events that contain both of the words “sports” and “www1”, and also have 200 as the value in the status field.

search index=main sports www1 status=200

Next step

After refining your search, you can manipulate or process those returned events.

After refining your search to return only a focused subset of relevant events, you can manipulate or process those returned events in order to support data analysis and reporting.

For example, you might find it useful to work with your data in the following ways:

  • Standardize the spelling or capitalization of string values for consistency.

  • Convert numerical values from one unit of measurement to another.

  • Calculate aggregate statistics, such as the sum or average of a set of values in the data.

You can process your data by adding SPL2 commands and functions to your search.

To continue building out your search, see Process your search results.