As an administrator, you create an event search, which is a detailed search for events that match simple or complex patterns. Event searches and subsequent event policies that are created by leveraging these searches are mechanisms that help you control how the product responds to important events or event patterns. You can run event searches:
You can federate event searches across all event data sources or scope them to one or more specific data sources. Time-based scoping can further reduce the target set of events. In addition to scoping, the search functionality lets you define the following to narrow your search:
Adhere to the following conventions to help ensure a successful search:
Follow these steps:
The Event Policy dialog opens. The Events tab displays the available data sources and existing policies. The Event Search tab displays on the right pane for running searches.
The source appears in the field next to the Source button in the Scope pane. To search all event sources, select the Mid-tier connector entry. The Mid-tier connector collects events from all connectors.
The Select Data Source dialog opens with all available data sources.
Note: If you include all data sources or add the Mid-tier connector in a search that includes specific data sources, the search will return duplicate events, because the Mid-tier connector collects events from all connectors.
The selected sources appear in the Source field.
The Time Range for Event Search dialog opens.
Lets you define a specific time range to search down to the second. Use the Start and End fields to define the time range. Events are stored by the hour with the operating system “last modified date” determining whether a given hour’s events fall within the time range. For example, if a steady stream of events has been flowing and stored for several hours, and it is now 6:35, a search from 5:30 to 6:30 would find all events stored from 5:00 to 6:00. It would exclude events written to the current 6:00 to 7:00 file, as the “last modified date” (of 6:35) is outside of the scoping criteria.
Lets you search events that occurred within a specific number of hours from the current time. Use the arrows to specify the number of hours to search. Events are stored by the hour with the operating system “last modified date” determining whether a given hour’s events fall within the time range. For example, if a steady stream of events has been flowing and stored for several hours, and it is now 6:35, a search of the last 4 hours would find all events stored from 2:00 to 6:00. It would exclude events written to the current 6:00 to 7:00 file, as the “last modified date” (of 6:35) is outside of the scoping criteria.
The time range appears in the Time Range field.
Each Pattern field represents criteria for one discrete type of event. Therefore, enter all necessary criteria for a single event type (using the necessary properties, functions, and operators) in one Pattern field.
After you enter a search pattern in the Event Pattern 1 field, the second Event Pattern field becomes available.
Note: The names of the second and third Event Pattern fields vary depending on the criterion you select in the Additional Criterion pane. The names are sequential when you select 'ALL events occur within N seconds' and the same when you select 'ANY event occurs'.
Note: For more information about raw event searches, see Run a Raw Event Search.
Note: If you populated only the Event Pattern 1 field, the selected criterion does not influence the query results unless you select OCCURS N times within N seconds.
Returns any event that matches any of the patterns.
Returns a set of events that match all entered patterns that occur within the specified time interval of one another. For example, if you search for events of a certain severity in one pattern and events that meet a certain description in another pattern, the pair of events that match the patterns is returned if they occur within the specified time period. The results are grouped to indicate which events occurred together.
Returns events that match all entered patterns that occur within the specified time interval and occur in the same order as the search patterns.
(Single pattern only) Returns events that match the entered pattern and that occur the specified number of times or more within the specified time interval. For example, you can search for an event with a certain description that must appear four times within a minute to match the pattern. The results are grouped to indicate which events occurred together. If you select this option, all Event Pattern fields other than Event Pattern 1 are disabled.
Note: For example search patterns, see Event Search Examples: Time-Based Correlation, Event Search Examples: Occurrence Frequency, and Event Search Examples: Moving from Simple to Complex.
The results appear in the table above the Details tab. You can filter the results by entering a property value in the Filter field.
The results button to the upper left of the table indicates whether the search was successful, or if errors occurred. If the button is green, the search completed successfully and it can be deployed as a policy (see step 11). Yellow or red color can still mean the search returned a valid result but policy deployment is not possible. Click the button to view the returned error messages. If you receive an error message that you need help interpreting, see Error Messages.
Note: The time range search performs a search based on the reported time of an event. The reported time is the time when the event is processed by a connector. The occurrence time is the time when an alert occurred. All processing is done on the raw alerts before they are added to the SA Store database tables for the best efficiency. The occurrence time (represented by the column Occurrence Time) and reported time (column Reported Time) are viewable in the query results window in the Event Policy UI. The occurrence time does not change. In many environments, connectors are restarted with active alarms and alerts are updated. As a result, events are generated for these alerts with more of a disparity between the occurrence time and reported time.
The event properties and values appear in the Details tab. This tab shows many of the USM properties for the selected event and the following unique properties:
Indicates the group number to which an event belongs. Grouping organizes events detected as part of a pattern so that you can see events in the context of the other events that triggered a pattern match. Grouping applies to time-based search types. Right-click the event results table and select Group to see how resultant events are grouped.
Time-based searches have Group values starting with A and incrementing each time a group is detected. Non-time based searches all show the same Group value of A. A maximum of ten groups can appear.
Note: You can change the maximum number of returned groups. For more information, see Configure Event Search Settings.
Frequency-based searches (OCCURS N times within N seconds) create groups based on the longest sequence within the timespan. For example, if you search for an event that must occur five times within 30 seconds, and the event occurs nine times within a 30-second window, the results organize all of these events into one group. Subsequent events matching the criteria in different 30-second windows would be organized into different groups.
Searches using 'ALL events occur within N seconds' may cause events to appear multiple times if they are detected as being parts of multiple groups. For example, if you search for a combination of events occurring within 30 seconds, and each of the events occurs multiple times within a 30-second window, the results organize each unique pair into a separate group and display the events multiple times as a part of each group.
Indicates the pattern that the selected event matched.
|
Copyright © 2013 CA.
All rights reserved.
|
|