Click here to expand

    Log Search in EventLog Analyzer

    EventLog Analyzer provides a robust search engine to help you retrive log data during investigations. You can search raw logs collected by the server and detect events of interest such as misconfigurations, viruses, unauthorized access, unusual logons, applications errors, and more.

    EventLog Analyzer provides basic and advanced search functionalities. Types of search queries supported are wild-card, phrase, boolean, grouped searches.

    How to search: Basic and Advanced

    1. Go to the Search tab.
    2. Log Search in EventLog Analyzer
    3. Click Pick device and select the devices across which you want to search. Click Add. If nothing is specified in this field, log search will be carried out across all available devices.
    4. Log Search in EventLog Analyzer
    5. Select log type from the drop-down box. By default the selection is All Log Types, and the search is carried out across all log types.
    6. Select the period as required.
    7. Search Help Card is a built-in guide that lists the types of search queries you can perform in the search box. You can also watch how to search tutorials.
    8. Use Basic search to enter your own search string/search criteria.
      • Type the field value into the Search box.
      • Log Search in EventLog Analyzer
      • Type the field name and value into the Search box.
      • Log Search in EventLog Analyzer
    9. To build complex search expressions with the interactive search builder, click Advanced.
    10. Log Search in EventLog Analyzer
      • Specify field values for your search criteria.
      • Click '+' to add a field. Click '⨯' to remove a field.
      • Select logical operator 'AND' and 'OR' between the fields.
      • Click Add group to construct a new set of field values.
      • Click Add.
    11. Click Search to see the results and result graph.
    Note: The result graph is displayed for a period of two weeks only.

    Types of basic search queries

    Using boolean operators:

    You can use the following boolean operators: AND, OR, NOT.

    Syntax: <field name>=<field value> <boolean> <field name>=<field value>.

    Example: HOSTNAME = AND USERNAME = guest

    Comparison operators:

    You can use the following comparison operators: =, !=, >, <, >=, <=.

    Syntax: <field name> <comparison operator> <field value>.

    Example: HOSTNAME =

    Wild-card characters:

    You can use the following wild-card characters: ? for a single character, * for multiple characters.

    Syntax: <field name> = <partial field value> <wild-card character>

    Example: HOSTNAME = 192.*


    Use double quotes ("") to specify a phrase as the field value.

    Syntax: <field name> = "<partial field value>"

    Example: MESSAGE = "session"

    Using grouped fields:

    Use round brackets () to enclose groups of search criteria and relate them to other groups or search criteria using boolean operators.

    Syntax: (<search criteria group>) <boolean operator> <search criterion>

    Example: (SEVERITY = debug OR FACILITY = user) and HOSTNAME =

    Get download link