EventLog Analyzer provides a dedicated section for log data search under the Search tab of the product. You can search raw logs collected by the server and detect network anomalies like mis-configurations, viruses, unauthorized access, applications errors, and more.
The procedure to search the logs is given below:
Select specific devices/device Groups for log search
To narrow down the search to specific devices/device groups, type in their names in the text box provided or use the 'Pick Device' link to select them from the list of added devices and device groups. If nothing is specified in this field, log search will be carried out across all available devices.
Select specific log types for log search
You can narrow down the search to specific log types (Windows event logs, syslogs, Oracle logs), by selecting them from the Log Types list. By default the selection is All Log Types, and the search is carried out across all log types.
Types of Search
EventLog Analyzer supports both Basic and Advanced search. Types of search queries supported are wild-card, phrase, boolean, grouped, and range searches.
If you want to manually type-in your own search string/search criteria, use Basic search.
Search for field values: Type the field value directly into the Search box.
Search for field value pairs: Type the field name and value directly into the Search box. The expression for a field name and value pair is <field name>=<field value>.
To build complex search expressions with the aid of an interactive search builder, click Advanced.
Set criteria to search
A search query consists of one or more groups of search criteria, each containing one or more field value pairs. Fields and groups are related to each other through boolean operators. Once you have defined the query, click Apply.
The constructed search query appears in the text box. Click Go to preview the search results.
Results are displayed in a Result Graph and the matching log entries are listed below. The result graph is displayed for a period of two weeks only.
Note: If you have upgraded to the latest version of the product in the previous two weeks, the graph is displayed only from the date of upgrade.
Clear and save searches
Once you have entered the result preview, you will see options to clear the search query, or save the search results as a report or an an alert.
More Search Examples - Basic Search
Using boolean operators:
An expression with boolean operators looks like the following: <field name>=<field value> <boolean> <field name>=<field value>. You can use the following boolean operators: AND, OR, NOT.
Example: HOSTNAME = 192.168.117.59 AND USERNAME = guest
Using comparison operators:
An expression with comparison operators looks like the following: <field name> <comparison operator> <field value>. You can use the following comparison operators: =, !=, >, <, >=, <=.
Example: HOSTNAME = 192.168.117.59
Using wild-card characters:
An expression with wild-card characters looks like the following: <field name> = <partial field value> <wild-card character>. You can use the following wild-card characters: ? for a single character, * for multiple characters.
Example: HOSTNAME = 192.*
An expression with a phrase looks like the following: <field name> = "<partial field value>". Use double quotes ("") to specify a phrase as the field value.
Example: MESSAGE = "session"
An expression with a range of values looks like the following: <field name> = [<from-value> TO <to-value>]. Use square brackets  to enclose the 'from' and 'to' values, separated by the keyword TO.
Example: USERNAME = [k TO z]
Using grouped fields:
An expression with grouped fields looks like the following: (<search criteria group>) <boolean operator> <search criterion>. Use round brackets () to enclose groups of search criteria (which is a set of criteria related by boolean operators) and relate them to other groups or search criteria using boolean operators, as in the previous examples.
Example: (SEVERITY = debug OR FACILITY = user) and HOSTNAME = 192.168.117.59