Here in this article, we have some suggestions for you to make more affective and efficient search filters.
NOTE: If you want to learn about all the rules and operators in search, you can visit this link.
1- When you open the Search tab, you'll be able to see the parsed columns of the logs and its values near them.
For example, you can see the columns of Source.IP:192.168.104.109 and Destination.IP:192.168.3.201 in the sample below.
When you click on a column result, it'll automatically compose a query with the column that you clicked on.
2- Most of the vendors identify the events with an event id. For example if you have a Sonicwall firewall, for the web access logs you can type Event.Info:"Web Site Access" or Event.VendorID:97. These 2 types of queries are equivalent for the same result.
NOTE: You can visit this article to see how Logsign get these columns significant and to understand the column architecture of Logsign.
3- Logsign has a NoSQL architecture and uses Elasticsearch, and the query language while using reports and search is LUCENE. So it provides the results for you much more faster than the SQL-used architectures.