Query Syntax

<< Click to Display Table of Contents >>

Navigation:  Web Reports > Pages > Summary & Details >

Query Syntax

The EventSentry web reports use the Apache Lucene Query Parser Syntax which uses field:value pairs for the core syntax. The examples below illustrate the most common syntax based on examples.

 

item_enable_32

log:Security

Events from the "Security" event log

 

You can search for multiple values of the same field by grouping the values inside a parenthesis:

 

item_enable_32

log:(Application OR System)

Events from either the Application or System event log

 

Search multiple fields by combining them with the logical AND or OR operator:

 

item_enable_32

log:Application AND source:EventSentry

Events from the Application event log with event source "EventSentry"

 

Exclude results by prefacing them with a minus:

 

item_enable_32

log:Security AND id:(-5447)

Events from the Security event log except events with event id 5447

 

Use the ? wild card to match any single character, use the * wild card to match 0 or more characters:

 

item_enable_32

log:Security AND category:Process*

Events from the Security event log with any category that starts with "Process"

 

Use quotes when searching for text strings that contain one or more spaces:

 

item_enable_32

log:Security AND category:"Process Creation"

Events from the Security event log with category "Process Creation"

 

You can omit the field name when searching the default field (e.g. the event message for event log searches):

 

item_enable_32

*john.johnson* OR *jack.jackson*

Events containing "john.johnson" or "jack.jackson"

 

Restrict numerical fields to a range of values with brackets:

 

item_enable_32

log:Security AND id:[528 TO 539]

Events from the "Security" event log with event ids from 528 to 539

 

item_enable_32

log:Security AND id:[4625 TO *]

Events from the "Security" event log with event ids equal or larger than 4625