Types Description Example
Tokenized Fields System field names invoke
parsing when standardized
delimiters are encountered,
such as
user.keyword: *string
user:"*string", where *string contains @, . , or -.
Yields results because user.keyword is non-tokenized
user: *string
user.keyword: "*string", where *string contains
@, . , or -.
No results because user is tokenized for full-text search,
is parsed as user, engineering, domain, and com
_exists_ and !_exists_
Determine whether fields that
exist (have a value) or not
_exists_:user
Yields logs where user field is populated
!_exists_:<exa_parser_name>
Yields logs where <exa_parser_name> field is empty
<field>.keyword:"-"
Search string qualifier when
a keyword type field cannot
be parsed. Do not use
<field>:”-” even though
this field is a text type as well.
Otherwise, there will be no
results returned.
host.keyword:”-”
This search will return data with a non-parsable host field.
NOTE
The default operator in searches is OR unless you explicitly form your query to not apply it.
2.2. Time Parameters
Correctly searching and synchronizing time between log messages is critical to forming a timeline of
events you are analyzing. There are multiple ways time information is stored in log messages. It is
important to distinguish between them and use them accordingly.
Parameter Description
@timestamp This is a search value. It is the default time field that reflects the time when log message was received
at the Data Lake ingestion layer.
indexTime This is a search value. It is the time the Data Lake parser/enricher processed the log message for
indexing.
exa_adjustedEventTime This is a message log field. It is the time value derived from event itself with adjustments such as time
zone, if present in log message and parsed out.
exa_rawEventTime This is a message log field. It is the non-adjusted time value derived from log message itself. If log
message does not have a time field, it defaults to ~indexTime.
2.3. Field Explorer
In addition to using manually created search strings, users have the option to filter data using out-of-
the-box filters available in the Search UI.
How to Run Query Searches in Exabeam Data Lake
Exabeam Search Quick Reference Guide - Version SecOps 2021.2 (DL i40
Published Mar 11, 2022 8