If you want to query logs by using exact match of multiple keywords, you can use the LIKE operator or the phrase search feature.

Sample log

body_bytes_sent:1061
http_user_agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
remote_addr:192.0.2.2
remote_user:vd_yw
request_method:DELETE
request_uri:/request/path-1/file-5
status:207
time_local:10/Jun/2021:19:10:59

Expected search result

Query the logs in which the value of the http_user_agent field contains the phrase like Gecko.

Examples

The following examples are provided based on the preceding sample log and expected search result.

Phrase search

You can use the phrase search feature to exactly match a phrase. For more information, see Phrase search.
http_user_agent:#"like Gecko"

LIKE operator

The LIKE operator complies with the LIKE syntax in standard SQL. The percent sign (%) in a LIKE clause indicates zero or more occurrences of characters. The underscore (_) indicates a single character.

  • Valid query statement
    * | Select * where http_user_agent like '%like Gecko%'

    The http_user_agent parameter specifies the field based on which the system queries logs.

  • Invalid query statement

    If you execute the following query statement, the result is inaccurate. This query statement returns the logs in which the value of the http_user_agent field contains the following phrases: like Gecko, Gecko like, like abc Gecko, or Gecko abc like .

     "like" and "Gecko"