About the Analyzer
The analyzer is the starting point for your data inside Raven. It gives you direct access to your indexed data, allowing you to analyse and query specific parts of your data using a Lucene based query syntax.
Querying and viewing your data is an important part of the portal, as it allows you to gain insights from the saved data quickly in a centralized manner, and even learn what your data looks like.
The query language#
As mentioned, our Analyzer section works with a Lucene based query language. This means we support many of the same methodologies as you have probably used elsewhere. These include support for:
Fields#
Using the Elastic Common Schema (ECS) as the backing data model for saved data on our platform, there is a wide range of fields supported that you may want to include in your query. Here are some examples of how to search for fields.
When using longer sentences or text phrases, do remember to encapsulate this within the quotation marks, as above example.
Boolean Operators#
AND, OR, and NOT operators.
Will return events that contain both john and bob
Will return events that contain toby but not john
Will return events that contain john or bob, or both
Ranges#
You can search for fields within a specific range, using square brackets for inclusive range searches and curly braces for exclusive range searches:
Will return events with age between 3 and 10
Will return events with prices between 101 and 399
Will return names between and including Adam and Ziggy
As you can see in the examples above, you can use ranges in non-numerical fields like strings and dates as well.
Wildcards#
A wildcard character, in this case the * character allows you to use multiple character wildcards or the ? character for single character wildcards:
Will match Mars, Mass, and Maps
Will match Mars, Matches, and Massachusetts
Regex Queries#
Using a regular expression (regex) you can match specific patterns across your data. Only thing to remember is the forward slash at the start of the regex (/).
To identify a certain IP range or block
Will match text that resembles an HTML tag
Fuzzy Search Queries#
Looking for results that almost look the same? You can use a fuzzy search, returning results with terms like your search, as measured by a Levenshtein edit distance.
Using the following phrase: blow~, notice the tilde (~), would return results like "blew," "brow," and "glow."
Using the tilde (~) along with a number will specify the distance between words can be:
Would match text like: "jean," "johns," "jhon," and "horn"
Free Text#
Just type in the term or value you want to find.
Examples from the portal#
The data you can query in your portal really depends on what data you have available. Following are some queries, as examples, that will work for you if you have those ingoing connector bricks configured in your installation.
View all IIS logs from Filebeat:
View all Windows Event logs for a "Logon event" (via Winlogbeat):
Using a regular expression to match a spamtrap in a specific IP range
Saved queries for easy access#
Made a query that you’d like to save down and inspect periodically? You can! Simply click the star icon in the search bar to save it to the Queries section. From within there, you can view your search results, make and save bigger queries and edit existing.
Saving a query will also make it show up in the search bar when you search for its name.