Group by field in search results

Again more search options this week. The first and most important one is that you can now group by any field in the data model with the keyword by.

For example if you want to get a list of all the registrars you used to buy your domain names, you do:

  index=whois by registrar

Or if you want to have a list of ISPs you use:

  index=hosts by isp

The results will automatically have a field called count that shows the number of search results grouped in the by field. This is quite useful input for pie charts too.

Other new additions are the earliest and latest keywords. They allow you to specify date ranges the easy way. For example if you want all certificate issuers used in the last month:

  index=certificates by issuer latest=-1m

More details on the Search and Queries page.

New search options

This weeks update brings more search options. Until now you could search some fields, but not all. And the query language was functional but limited. That all changed.

First, you should have a look at the updated Data Model. It shows all types of data (indexes) that you can search and the fields that are available.

Searching should be easy and we don’t want you to learn yet another query language. So, instead you can use both Elastic Search (also known as Lucene) syntax and Splunk SPL syntax. The ShadowTracker query parser is quite forgiving and even allows mixing the two styles. And of course it’s backwards compatible with the old search style. Details and examples are on the Search and Queries page.

Major backend update: check your API scripts

This weekend a lot of tech debt was paid. That also meant some risky updates and changes to the backend. Although all was tested first, some bugs slipped through and on top of that we did a database rebuild.

All should be fine now and the GUI and API do not have big changes, but please double check your API scripts and report any trouble to us.