Query Syntax

<< Click to Display Table of Contents >>

Navigation:  Web Reports > Pages > Summary & Details >

Query Syntax

The EventSentry web reports use the Apache Lucene Query Parser Syntax which uses field:value pairs for the core syntax. The examples below illustrate the most common syntax based on examples.




Events from the "Security" event log


You can search for multiple values of the same field by grouping the values inside a parenthesis:



log:(Application OR System)

Events from either the Application or System event log


Search multiple fields by combining them with the logical AND or OR operator:



log:Application AND source:EventSentry

Events from the Application event log with event source "EventSentry"


Exclude results by prefacing them with a minus:



log:Security AND id:(-5447)

Events from the Security event log except events with event id 5447


Use the ? wild card to match any single character, use the * wild card to match 0 or more characters:



log:Security AND category:Process*

Events from the Security event log with any category that starts with "Process"


Use quotes when searching for text strings that contain one or more spaces:



log:Security AND category:"Process Creation"

Events from the Security event log with category "Process Creation"


You can omit the field name when searching the default field (e.g. the event message for event log searches):



*john.johnson* OR *jack.jackson*

Events containing "john.johnson" or "jack.jackson"


Restrict numerical fields to a range of values with brackets:



log:Security AND id:[528 TO 539]

Events from the "Security" event log with event ids from 528 to 539



log:Security AND id:[4625 TO *]

Events from the "Security" event log with event ids equal or larger than 4625