Query Syntax

<< Click to Display Table of Contents >>

Navigation:  Web Reports > Pages > Summary & Details >

Query Syntax

The EventSentry web reports use the Apache Lucene Query Parser Syntax which uses field:value pairs for the core syntax. The examples below illustrate the most common syntax based on examples.

 

Search for all events from the security event log:

item_enable_32

log:Security

Events from the "Security" event log

 

Search for multiple values of the same field by grouping the values inside a parenthesis:

item_enable_32

log:(Application OR System)

Events from either the Application or System event log

 

Search multiple fields by combining them with the logical AND or OR operator:

item_enable_32

log:Application AND source:EventSentry

Events from the Application event log with event source "EventSentry"

 

Exclude results by prefacing them with a minus:

item_enable_32

log:Security AND id:(-5447)

Events from the Security event log except events with event id 5447

 

Use the ? wild card to match any single character, use the * wild card to match 0 or more characters:

item_enable_32

log:Security AND category:Process*

Events from the Security event log with any category that starts with "Process"

 

Use quotes when searching for text strings that contain one or more spaces:

item_enable_32

log:Security AND category:"Process Creation"

Events from the Security event log with category "Process Creation"

 

Omit the field name when searching the default field (e.g. the event message for event log searches):

item_enable_32

*john.johnson* OR *jack.jackson*

Events containing "john.johnson" or "jack.jackson"

 

Restrict numerical fields to a range of values with brackets:

item_enable_32

log:Security AND id:[4727 TO 4730]

Events for group changes of global security-enabled groups

 

item_enable_32

name:"Applications*CPU" AND value:[5 TO *]

Performance Status: Lists all processes that have a CPU utilization of 5% or more