Event Properties and Values

Searching for and Viewing Events › Event Search Syntax Guidelines and Best Practices › Event Properties and Values

Event Properties and Values

Use only the valid properties and property values defined in Event Properties and Event Information for normalized event searches. Use the right-click menu to automatically populate pattern fields with the appropriate property names and enumerated values.
All event properties and values are case-sensitive. Using the right-click menu helps ensure the correct case and format for properties and enumerated values.

Syntax

Use the following syntax to complete a basic search pattern:

property[operator]'value'

Note: For deployed policies and when performing searches using string values, property values must be delimited by single quotes. An error message appears when a property is missing a quote character on either side. For example, to enter a pattern that returns events with a severity of Critical, you would enter Severity='Critical'.

Alternatively, leave the search patterns empty to return a console view of all events for the defined scope.

Event Properties

Performing actions on alerts in the Operations Console does not affect related event properties, such as IsAcknowledged.
The MdrProduct, MdrProdInstance, and OccurrenceTimestamp properties are automatically leveraged for scoping. Therefore, using these properties in event searches is typically redundant and unnecessary.
The ID properties (MdrElementID and AlertedMdrElementID) and the properties that use the ID properties as part of their values are unique values that are difficult to derive without looking directly in the Event Store. Typically, the best use of these properties in searches is through the question mark (?) substitution character described in the Special Characters section.
Always use the right-click menu when entering a value for the AlertedMdrProduct or MdrProduct properties (not available for raw events). The right-click menu converts the displayed connector name values into the valid numeric values for these properties defined in the USM schema. Entering a connector name in an event pattern instead of the numeric value causes the search to fail.