Previous Topic: Event Search Examples: Advanced Search TechniquesNext Topic: Event Search Examples: Moving from Simple to Complex

Searching for and Viewing EventsEvent Search Examples: Raw Events

Event Search Examples: Raw Events

Select Raw Events and enter a single search pattern in the Event Pattern 1 field. This pattern searches for raw events that retain the properties of their event source.

Example: Search for CA NSM events from the Tandem syslog

matches(evtlog_text,’^TAN$’)

The CA NSM Event Console collects events from multiple sources. The source policy that the event connector provides splits these event sources into separate classes. This search returns collected events from the Tandem syslog so that you can write specific mapping rules for these events.

Example: Search for Windows Event Log events from the Security log

syslog_source='Security'

The Windows Event Log contains multiple logs that collect different types of events, such as Security, System, and Application. Normalized Windows Event Log events give no indication of the source event log. This example isolates this information in the raw event property syslog_source and returns all events in the Security log. You can then create a policy that normalizes all security events from the Windows Event Log.

Example: Search for traps with specific information in the variable bindings

Events from the SNMP connector or the SNMP adaptor that are provided with the Event connector have their variable bindings split into separate properties in the Event Store. Therefore, you can search based on a specific varbind value. Varbind properties are prefixed with 'varbind-' and then the OID number. The following example searches for CA Workload Automation traps with a specific job name:

snmp_enterprise="1.3.6.1.4.1.11203" and varbind-1.3.6.1.4.1.11203.9="Disk Mount Job"

This pattern first searches for traps with an enterprise OID of 1.3.6.1.4.1.11203, which narrows the results to CA Workload Automation traps. The pattern then searches for events that match Disk Mount Job in the variable binding 1.3.6.1.4.1.11203.9, which contains the CA Workload Automation job name. You can use this search to view all events that are related to that job. You can create policy that normalizes the messages that are related to the job so that they appear as alerts in the Operations Console. The varbinds are mapped to the appropriate properties.