New search options

This weeks update brings more search options. Until now you could search some fields, but not all. And the query language was functional but limited. That all changed.

First, you should have a look at the updated Data Model. It shows all types of data (indexes) that you can search and the fields that are available.

Searching should be easy and we don’t want you to learn yet another query language. So, instead you can use both Elastic Search (also known as Lucene) syntax and Splunk SPL syntax. The ShadowTracker query parser is quite forgiving and even allows mixing the two styles. And of course it’s backwards compatible with the old search style. Details and examples are on the Search and Queries page.