Event Search Examples: Moving from Simple to Complex

Searching for and Viewing Events › Event Search Examples: Moving from Simple to Complex

Event Search Examples: Moving from Simple to Complex

The following example scenario shows how you can move from a simple search to more complex occurrence and correlation searches. You can use the searches in event policies.

Consider a situation where a database server is having performance problems. Several domain managers are monitoring the server, and you cannot pinpoint the cause of the problems. You could begin with the following simple search in the Event Pattern 1 field with 'ANY event occurs' selected:

matches (Summary,'query error')

This search returns all events that contain the phrase 'query error' in the event summary. The search shows many failed database queries coming from various connectors managing resources that are querying the database. To refine the search to query failures on the problematic database server, you could run an additional search as follows:

matches (Summary,'dbserver1') and matches (Summary,'query error')

This search only returns database query failure events that include the name of the problematic database server in the event summary. If you still see many events that are returned, you can select OCCURS and specify 10 times within 60 seconds. This search returns matching events that occurred ten times within one minute of each other, which indicates that the query failures are persistent. If you suspect that persistent query failures are draining the database server memory, you can further refine the search by entering the following two search patterns:

matches (Summary,'dbserver1') and matches (Summary,'query error')

matches (Summary,'dbserver1') and matches (Summary,'memory usage high')

Selecting 'ALL events occur within 120 seconds' returns sets of events where at least one query failure occurred and a high memory usage event occurred within two minutes of each other. The results of this search could indicate a correlation between persistent database query failures and high memory usage on the database server, which could be degrading its performance. With this knowledge, you can generate a plan of action for fixing the problem and future occurrences of the same problem by doing any or all of the following:

Including the search patterns in a create event policy that could raise the severity of the query error events and modify the message to describe the correlated condition
Filtering repeated database query error events so that technicians can focus on the created event with elevated severity
Creating escalation policy based on the new event that emails the database server technician or the technician responsible for the application sending the bad database queries