A query is organized into terms and operators. There are two types of terms: Single Terms and Phrases.
A Single Term is a single word such as
service
or
protocol
A Phrase is a group of words surrounded by double quotation marks such as
"session closed"
Multiple terms can be combined together with Boolean operators to form a more complex query (see below).
ASPEN supports data in fields. When performing a search, you can either specify a field, or search through all fields. The field names are implementation-specific.
You can search any field by typing the field name followed by a colon ":" and then the term you are looking for.
As an example, if you want to find a result with priority "2" which contains the text "internal", you can enter:
priority:"2" AND text:"internal"
or
priority:"2" AND "internal"
Since text is field, the field indicator is not required.
The field is valid only for the term that it directly precedes, so the query
text:internal ASPEN log
will only find "internal" in the text field. It will find "ASPEN" and "log" in the default field (in this case the text field).
Another way to compose your query, instead of typing it into "Search" text box is to use keyboard shortcuts paired with a click on a specific field, within "Security event details" and "Raw log details" windows.
Ctrl+LeftClick is used for AND operator
Shift+LeftClick is used for NOT operator
Ctrl+Shift+LeftClick is used for OR operator
Using these shortcuts will add field names automatically. For example, Shift+LeftClick on a field "type" that has value "syslog" will create the following query for you:
NOT type:"Syslog"
ASPEN supports modifying query terms to provide a wide range of searching options.
ASPEN supports single and multiple character wildcard searches.
To perform a single character wildcard search, use the "?" symbol.
To perform a multiple character wildcard search, use the "*" symbol.
The single character wildcard search looks for terms that match the query, with a single character replaced. For example, to search for "trace", you can use:
tra?e
Multiple character wildcard searches looks for 0 or more characters. For example, to search for trace or tracing, you can use:
trac*
You can also use wildcard searches in the middle of a term:
tra*ce
You cannot use a * or ? symbol as the first character of a search.
ASPEN supports fuzzy searches based on the Levenshtein Distance, or Edit Distance, algorithm. To invoke a fuzzy search, use the tilde, "~", symbol at the end of a Single-word Term. For example, to search for a term similar in spelling to "sure", use:
sure~
This search will find terms like assure, ensure, insure, insured etc.
ASPEN supports finding words that are within a specific distance. To do a proximity search, use the tilde, "~", symbol at the end of a Phrase. For example, to search for "domain" and "object" within 7 words of each other in a result, use:
"domain object"~7
Range Queries allow you to match whose field(s) values are between the lower and upper bound specified by the Range Query. Range Queries can be exclusive or inclusive of the upper and lower bounds. Sorting is lexicographic. Exclusive range queries are denoted by curly brackets:
title:{Audit TO values}
This will find all results whose titles are between Audit and values, but not including Audit and values.
Inclusive range queries are denoted by square brackets:
title:[Audit TO values]
ASPEN provides the relevance level of matching results based on the terms found. To boost a term use the caret, "^", symbol with a boost factor (a number) at the end of the term you are searching. The higher the boost factor, the more relevant the term will be.
Boosting allows you to control the relevance of results by boosting terms. For example, if you are searching for:
security alarm
or more complex, using previously mentioned special characters:
security alarm* system32 *.exe
and you want the term "security" to be more relevant, boost it by using the ^ symbol along with the boost factor next to the term. You would type:
security^6 alarm
or in second case:
security^6 alarm* system32 *.exe
This will make results with the term security appear more relevant. You can also boost Phrase Terms as in the example:
"alarm host"^5 "root"^3
By default, the boost factor is 1. Although the boost factor must be positive, it can be less than 1 (for example, 0.2), like this:
"alarm host"^0.2 "root"
Boolean operators allow terms to be combined through logic operators. ASPEN supports OR, AND, "+", NOT and "-" as Boolean operators.
Boolean operators must be ALL CAPS.
The OR operator is the default conjunction operator. This means that if there is no Boolean operator between two terms, the OR operator is used. The OR operator links two terms and finds a matching result if either of the terms exist. This is equivalent to a union using sets. The symbol || can be used in place of the word OR.
To search for result that contain either "Windows Service state" or just "state", use:
"Windows Service state" state
or
"Windows Service state" OR state
The AND operator matches results where both terms exist anywhere in the text. This is equivalent to an intersection using sets. The symbol && can be used in place of the word AND.
To search for results that contain cause:"Message too long" and priority:"1", use:
cause:"Message too long" AND priority:"1"
The "+" or required operator requires that the term after the "+" symbol exists somewhere in a field of a single result.
To search for results that must contain "Privileged command execution" and may contain "unknown", use:
+"Privileged command execution" unknown
The NOT operator excludes results that contain the term after NOT. This is equivalent to a difference using sets. The symbol ! can be used in place of the word NOT.
To search for results that contain term proxy but not state:"started", use:
proxy NOT state:"started"
The "-" or prohibit operator excludes results that contain the term after the "-" symbol.
To search for results that contain term WinHTTP but not state:"started", use:
WinHTTP -state:"started"
ASPEN supports using parentheses to group clauses to form sub queries. This can be very useful if you want to control the boolean logic for a query.
To search for either "proxy" or "root" and "stopped", use:
(proxy OR root) AND stopped
This eliminates any confusion and makes sure that termin "stopped" must exist and either term "proxy" or "root" may exist.
Using this, you are able to create even more complex queries like:
(text:"packet lost" OR run_as:"root") AND (NOT (priority:"2" OR priority:"3"))
ASPEN supports using parentheses to group multiple clauses to a single field.
To search for a text that contains both the word windows and the phrase "state changed", use:
text:(+windows +"state changed")
ASPEN supports escaping special characters that are part of the query syntax. The current list of special characters are:
+ - && || ! ( ) { } [ ] ^ " ~ * ? : \
To escape these characters, use the \ before the character. For example:
process_name:"C:\\Windows\\System32\\SearchProtocolHost.exe"