If you want to query logs by using exact match of multiple keywords, you can use the LIKE clause.

  • Sample log
    body_bytes_sent:1061
    http_user_agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
    remote_addr:192.0.2.2
    remote_user:vd_yw
    request_method:DELETE
    request_uri:/request/path-1/file-5
    status:207
    time_local:10/Jun/2021:19:10:59
  • Query requirement

    Query the logs whose http_user_agent field value contains the exact phrase like Gecko.

  • Incorrect query statement
     "like" and "Gecko"

    This query returns the logs whose http_user_agent field value contains the following phrases: like Gecko, Gecko like, like abc Gecko, or Gecko abc like .

  • Correct query statement
    * | Select * where http_user_agent like '%like Gecko%'

    The http_user_agent parameter specifies the field based on which the system queries logs.

    The LIKE clause complies with the LIKE syntax in standard SQL. The percent sign (%) in a LIKE clause indicates zero or more occurrences of characters. The underscore (_) indicates one occurrence of a character.