Please enable JavaScript to view this site.

The EventSentry web reports use the Apache Lucene Query Parser Syntax which uses field:value pairs for the core syntax. The examples below illustrate the most common syntax based on examples.


Search for all events from the security event log:



Events from the "Security" event log


Search for multiple values of the same field by grouping the values inside a parenthesis:


log:(Application OR System)

Events from either the Application or System event log


Search multiple fields by combining them with the logical AND or OR operator:


log:Application AND source:EventSentry

Events from the Application event log with event source "EventSentry"


Exclude results by prefacing them with a minus:


log:Security AND id:(-5447)

Events from the Security event log except events with event id 5447


Use the ? wild card to match any single character, use the * wild card to match 0 or more characters:


log:Security AND category:Process*

Events from the Security event log with any category that starts with "Process"


Use quotes when searching for text strings that contain one or more spaces:


log:Security AND category:"Process Creation"

Events from the Security event log with category "Process Creation"


Omit the field name when searching the default field (e.g. the event message for event log searches):


*john.johnson* OR *jack.jackson*

Events containing "john.johnson" or "jack.jackson"


Restrict numerical fields to a range of values with brackets:


log:Security AND id:[4727 TO 4730]

Events for group changes of global security-enabled groups



name:"Applications*CPU" AND value:[5 TO *]

Performance Status: Lists all processes that have a CPU utilization of 5% or more