The EventSentry web reports use the Apache Lucene Query Parser Syntax which uses field:value pairs for the core syntax. The examples below illustrate the most common syntax based on examples.
Search for all events from the security event log:
|
log:Security |
Events from the "Security" event log |
Search for multiple values of the same field by grouping the values inside a parenthesis:
|
log:(Application OR System) |
Events from either the Application or System event log |
Search multiple fields by combining them with the logical AND or OR operator:
|
log:Application AND source:EventSentry |
Events from the Application event log with event source "EventSentry" |
Exclude results by prefacing them with a minus:
|
log:Security AND id:(-5447) |
Events from the Security event log except events with event id 5447 |
Use the ? wild card to match any single character, use the * wild card to match 0 or more characters:
|
log:Security AND category:Process* |
Events from the Security event log with any category that starts with "Process" |
Use quotes when searching for text strings that contain one or more spaces:
|
log:Security AND category:"Process Creation" |
Events from the Security event log with category "Process Creation" |
Omit the field name when searching the default field (e.g. the event message for event log searches):
|
*john.johnson* OR *jack.jackson* |
Events containing "john.johnson" or "jack.jackson" |
Restrict numerical fields to a range of values with brackets:
|
log:Security AND id:[4727 TO 4730] |
Events for group changes of global security-enabled groups |
|
name:"Applications*CPU" AND value:[5 TO *] |
Performance Status: Lists all processes that have a CPU utilization of 5% or more |
