Searching for and Viewing Events › Event Search Syntax Guidelines and Best Practices › Raw Event Search Limitations
Raw Event Search Limitations
The following table shows the operators and functions that you can use for raw event searches and which of them will work in a normalization policy.
|
|
Search
|
Normalization Policy
|
|
Operators
|
All
|
Only AND, “=”, “!=”
|
|
'fn:Parse' function
|
Yes
|
No
|
|
'not' function
|
Yes
|
Yes
|
The following three examples show the only raw event search patterns that are supported for normalization policy deployment:
Severity='Critical' and AlertType='Health'
matches(Severity,'Critical|Fatal')
Severity='Critical' and not(SeverityTrend='Unknown')
Note: The use of the ‘not’ function has the following limitations:
- The ‘not’ function does not support two operands. For example, not(mdr_dept='Finance' and mdr_size='11') is not supported. However, not(mdr_dept='Finance') and not(mdr_size='11') is supported.
- Additionally, parentheses do not support two operands even if the 'not' function is not present. For example, (mdr_dept='Finance' and mdr_size='11') displays an error message "Unable to Resolve". However, mdr_dept='Finance' and mdr_size='11' is supported.
When constructing search patterns, consider the following:
- If you do not have a list of the internal properties for the domain manager, run a search for all raw events from the data source. Then you can select the raw event properties returned by the search for use in search patterns using the right-click menu. For help with distinguishing true raw properties from temporary or internal properties that are also returned by raw event searches, see Raw Event Properties in Normalization Actions.
- Raw event properties are also case-sensitive in searches.
- Raw event searches only support a single event pattern with no additional time or occurrence-based criteria. Enter all search criteria in the Event Pattern 1 field.
Copyright © 2013 CA.
All rights reserved.
|
|