Symptom:
I received an error message on an Event Result Error dialog when I ran an event search. How do I interpret the error message?
Solution:
The following messages can appear on an Event Result Error dialog when you run an event search and click a result button that has turned yellow or red:
Indicates that the search returned no matches for a connector that you included in the scope. After you close the dialog, events may appear for other connectors included in the scope. This error does not indicate a problem with the search itself or the returned results. The error is only a notification that at least one scoped source returned no results. In response to this message, you can either refine your search if you want to return events from that source, or do nothing and simply work with the returned results if the search is accurately scoped and defined.
Indicates that some portion of the search syntax cannot be converted to the Drools language. The actual Drools conversion takes place when you save or deploy an event policy. Therefore, this warning does not affect the accuracy of a simple event search, but creating an event policy based on the search will fail. Common reasons for Drools conversion failure include the use of unsupported functions or inappropriate use of operators (for example, a greater than or less than operator with non-numeric values). For specific information about the error, see the EventMgmt.log file at SOI_HOME\log.
For more information about constructing valid searches, see Event Search Syntax Guidelines and Best Practices.
Indicates that Event Management could not access the connector to query its events. Check the status of each connector if this error occurs.
Indicates that the search did not complete due to an unresponsive Event Service. Check the status of the CA SAM Event Management service if this error occurs.
Indicates that the search returned more than 25,000 events for a single data source, which is the upper limit for search results per connector. You must reduce the scope, either through time range or data sources, to return an acceptable number of events.
Indicates that an unspecified error occurred that prevented the search from completing. To investigate the source of the error, see the EventMgmt.log file at SOI_HOME\log.
Indicates that a saved or deployed policy that you selected on the Events tab is not available in its expected location, and its pattern does not display in the Event Search tab. Verify that the policy file exists on the SA Manager at SOI_HOME\resources\EventManagement\Policies.
The following messages may appear when you click Create Policy or Map Events on the Event Search tab:
Note: Some of these error messages also appear when you click the result button.
Indicates that no current search results exist for the entered raw event search pattern. Completing a raw event search is required before creating a normalization action based on that search, so that you can use the results to access the raw event properties for mapping. The message gives you the option to continue, but no raw event properties are available to map on the Normalize Event page.
Indicates that the event search is invalid due to a missing quotation mark on either side of the property value. Add the missing quotation mark and rerun the search.
Indicates that the raw event search uses an OR operand. The search returns valid results, but event policies that are based on the raw event searches do not support the use of this operand.
Indicates that the raw event search uses an operator that is not supported in event policies that are based on the raw event searches. Only the '=' operator is supported in this situation.
Error: Operator: NOT supported in policy deployments for Normal Events
Indicates that the normalized event search uses an operator that is not supported in event policies that are based on the raw event searches. Only the '=' and ‘!=’ operators are supported in this situation.
Error: ‘not’ syntax incorrect. Not supported in policy deployments pattern
Indicates that the event search uses unsupported syntax. For details, see the section Event Search Syntax Guidelines and Best Practices in the Event and Alert Management Best Practices Guide.
Error: ‘contains’ / ’starts-with’ / ’ends-with’ is NOT supported in policy deployments pattern
Indicates that the event search uses a function that is not supported in event policies.
The following messages can appear on the Create Event Policy dialog when you try to deploy or save an event policy:
Indicates that the search errors previously listed can appear in the Event Log table that displays the current search results for use in previewing how a create event or enrich event action affects an event.
Indicates that some portion of the search syntax cannot be converted to the Drools language. This message appears after you click Finish on the Select Data Sources page. The Drools conversion takes place when you save or deploy an event policy, and the operation is prevented if Drools conversion fails. Common reasons for Drools conversion failure include the use of unsupported functions or inappropriate use of operators (for example, a greater than or less than operator with non-numeric values). For specific information about the error, see the SOI_HOME\tomcat\logs\soimgr.log file.
For more information about constructing valid searches, see the Event Search Syntax Guidelines and Best Practices section in the Administration Guide.
Indicates that one or more connectors are currently unreachable. This message appears on the Select Data Sources page. You can complete the policy creation if all of the data sources that you need are available.
Various other warnings appear at the bottom of the Create Event Policy dialog when input is required before you can progress to the next page.
|
Copyright © 2013 CA.
All rights reserved.
|
|