Searching for and Viewing Events › Event Search Syntax Guidelines and Best Practices › Functions

Functions

This section lists some best practices for the 'not', 'matches', and 'fn:Parse()' functions.

Not

• Use the 'not' function to return events that do not match the entered pattern. This example returns all events that have a severity other than Critical:

  not(Severity='Critical')
  

• You can also use the 'not' function to detect a missing event. This example, when paired with a pattern detecting a 'backup started' event, detects when the expected 'backup stopped' event did not occur:

  not(matches(Summary,'backup stopped'))
  

For more information about detecting a missing event, see Event Search Examples: Advanced Search Techniques.

Matches

• Use the 'matches' function to return events based on partial match criteria. Use regular expressions within this function to construct the match criteria. This example returns events with a severity that starts with M and a message that contains the phrase 'service has stopped':

  matches(Severity,'^M.*') and matches(Message,'service has stopped')
  

• Use the 'not' and 'matches' functions in combination with one another to return events that do not match partial criteria. This example returns events with a severity that does not start with M:

  not(matches(Severity,’M.*’))
  

fn:Parse()

• Correlate events based on property fragments using the fn:Parse() function. This example returns events with the server name server1 in a specific place in the event Message property:

  fn:Parse(Message,'device=(.*?).ca.com')='server1'
  

• Use regular expressions to construct the parsing function.

For more information about parsing property values to use fragments in event searches, see Event Search Examples: Advanced Search Techniques.