This is the defining document: search; I would pay special attention under Logical expression options, Comparison expression options, Quotes and escaping characters, and The implied search command. In addition to white space and double quotation mark (") which are obvious, any unquoted occurrence of parentheses ("(" and ")", unquoted), equal (=), less-than (<), and greater-than (>) will be interpreted by SPL as part (or whole) of an operator; any unquoted occurrence of pipe (|) is interpreted as command separator; select unquoted backslash sequences are interpreted by SPL, e.g., \", \|, and \\; unquoted asterisk (*) is interpreted as wildcard. Also look at Subsearches. Any unquoted occurrence of left square bracket ([) is interpreted as the beginning of a subsearch; unquoted right square bracket (]) is considered the ending of a subsearch. Other than these, any character in a string is considered a literal string. This is why index=WinEventLog:System, or even index = WinEventLog:System is equivalent to index="WinEventLog:System". Yes, you can even name your source WinEventLog!System, WinEventLog/System, WinEventLog\System, WinEventLog\/System, even WinEventLog@System or WinEventLog&System and not quote it. Even in the search document itself, some examples include unquoted strings that could be unsafe in some other contexts. For example, The AND operator is always implied between terms and expressions. For example, web error is the same as web AND error. Specifying clientip=192.0.2.255 earliest=-1h@h is the same as clientip=192.0.2.255 AND earliest=-1h@h. So unless you want to include it for clarity reasons, you do not need to specify the AND operator. - Required arguments
... View more
