Previous Topic: Run an Event SearchNext Topic: Event Search Syntax Guidelines and Best Practices

Searching for and Viewing EventsRun a Raw Event Search

Run a Raw Event Search

Searching for raw events lets you view events with the internal properties from their source domain manager. All raw events also have a normalized version, but viewing the raw version of an event for a raw event source (such as a log file or event log) can help you better understand the event content. You can then use raw event search results to create an event policy with a normalization action to define rules for a more granular normalized event.

Follow these steps:

  1. From the Operations Console, select any item in the Navigation pane, and select Tools, Event Policies.

    The Event Policy dialog opens. The Events tab displays the available data sources and existing policies. The Event Search tab displays on the right pane for running searches.

  2. Select the source on which to search in the Data Source list on the Events tab.

    The selected source appears in the field next to the Source button in the Scope pane.

    Limit raw event searches to one data source, because this typically provides results that are best suited for normalization. The Select Data Source dialog prevents you from selecting multiple sources when Raw Events is selected.

  3. Select Raw Events in the Additional Criterion pane.

    All other criteria in the pane are disabled. Raw event searches support a single pattern search with no occurrence criteria.

  4. Enter a valid search pattern in the Event Pattern 1 field. Complete the search pattern using properties from the source domain manager instead of USM alert properties. The right-click menu options for these properties are disabled when you select Raw Events. Running a basic raw event search populates the right-click menu with the properties returned by the search. You can also still use the right-click menu options for operators, functions, and connections.

    Enter all search criteria in the Event Pattern 1 field. Raw event searches support multiple conditions in the Event Pattern 1 field, but they do not support criteria in multiple Event Pattern fields. Any criteria in other fields is combined with the Pattern 1 field.

  5. Click Search when finished.

    The results appear in the table above the Details tab. You can filter the results by entering a property value in the Filter field.

    The results button to the upper left of the table indicates whether the search was successful, or if errors occurred. If the button is green, the search completed successfully and it can be deployed as a policy (see step 7). Yellow or red color can still mean the search returned a valid result but policy deployment is not possible. Click the button to view the returned error messages. If you receive an error message that you need help interpreting, see Error Messages.

  6. (Optional) Select a returned event.

    All raw event properties and values for the event appear in the Details tab.

    Note: Other properties may appear that are not true raw event properties. For help distinguishing true raw properties from temporary or internal properties that are also returned by raw event searches, see Raw Event Properties in Normalization Actions.

  7. (Optional) Click Map Events to save the search or create an event policy with a normalization action based on the search.