How to Search


EventLog Analyzer provides a dedicated section for log data search under the Search tab of the product. You can search raw logs collected by the server and detect network anomalies like mis-configurations, viruses, unauthorized access, applications errors, and more.

 

 

 

The procedure to search the logs is given below:

 

Select specific devices/device Groups for log search

To narrow down the search to specific devices/device groups, type in their names in the text box provided or use the 'Pick Device' link to select them from the list of added devices and device groups. If nothing is specified in this field, log search will be carried out across all available devices.

Select specific log types for log search

You can narrow down the search to specific log types (Windows event logs, syslogs, Oracle logs), by selecting them from the Log Types list. By default the selection is All Log Types, and the search is carried out across all log types.

 

Types of Search

EventLog Analyzer supports both Basic and Advanced search. Types of search queries supported are wild-card, phrase, boolean, grouped, and range searches.

 

Basic Search

If you want to manually type-in your own search string/search criteria, use Basic search.

 

Basic Search Criteria

 

Search for field values: Type the field value directly into the Search box.

Basic Search Value only

 

Search for field value pairs: Type the field name and value directly into the Search box. The expression for a field name and value pair is <field name>=<field value>.

Basic Search Name Value pair

 

 

Advanced Search

To build complex search expressions with the aid of an interactive search builder, click Advanced.

 

Advanced Search

Set criteria to search

A search query consists of one or more groups of search criteria, each containing one or more field value pairs. Fields and groups are related to each other through boolean operators. Once you have defined the query, click Apply.

 

Advanced Search Criteria

 

The constructed search query appears in the text box. Click Go to preview the search results.

Advanced Search step 1

 

Results are displayed in a Result Graph and the matching log entries are listed below. The result graph is displayed for a period of two weeks only.

Advanced Search - Result

 

 Note: If you have upgraded to the latest version of the product in the previous two weeks, the graph is displayed only from the date of upgrade.

‚Äč

Clear and save searches

Once you have entered the result preview, you will see options to clear the search query, or save the search results as a report or an an alert.

Advanced Search - step-2

 

More Search Examples - Basic Search

Using boolean operators:

An expression with boolean operators looks like the following: <field name>=<field value> <boolean> <field name>=<field value>. You can use the following boolean operators: AND, OR, NOT.

Example: HOSTNAME = 192.168.117.59 AND USERNAME = guest

 

Basic Search - Boolean Expression

 

 

Using comparison operators:

An expression with comparison operators looks like the following: <field name> <comparison operator> <field value>. You can use the following comparison operators: =, !=, >, <, >=, <=.

Example: HOSTNAME = 192.168.117.59

 

Basic Search - Comparison Operator

 

 

Using wild-card characters:

An expression with wild-card characters looks like the following: <field name> = <partial field value> <wild-card character>. You can use the following wild-card characters: ? for a single character, * for multiple characters.

Example: HOSTNAME = 192.*

 

Basic Search - using wild card characters

 

 

Using phrases:

An expression with a phrase looks like the following: <field name> = "<partial field value>". Use double quotes ("") to specify a phrase as the field value.

Example: MESSAGE = "session"

 

Basic Search - phrase value

 

 

Using ranges:

An expression with a range of values looks like the following: <field name> = [<from-value> TO <to-value>]. Use square brackets [] to enclose the 'from' and 'to' values, separated by the keyword TO.

Example: USERNAME = [k TO z]

 

Basic Search - range values

 

 

Using grouped fields:

An expression with grouped fields looks like the following: (<search criteria group>) <boolean operator> <search criterion>. Use round brackets () to enclose groups of search criteria (which is a set of criteria related by boolean operators) and relate them to other groups or search criteria using boolean operators, as in the previous examples.

Example: (SEVERITY = debug OR FACILITY = user) and HOSTNAME = 192.168.117.59

 

Basic Search - grouped fields

Get download link