2 Replies Latest reply on May 15, 2013 6:11 PM by njoylif

    create a query for specific events

    kris_mortensen

      I am trying to create an ndepth query that will filter for specific events with the following rules:

       

      if the event came from the application log of "ServerA" or "ServerB" and the event data logged contains "The remote server returned an error: (530) Not logged in." or "FTP Error - Retrying"

       

      I want to eventually turn this into a rule that will alert some support people, but want to make sure that I get the appropriate events first. How do I build this?

        • Re: create a query for specific events
          quasar

          If ServerA & ServerB are machines with agents, define them as the InsertionIP.  Use an OR statement to grab data from both.

           

          For the latter part, I'm uncertain whether your text is going to end up as the EventInfo, ExtraneousInfo, etc.  Force the event to occur, note the timestamp, then see how the manager parses it by using nDepth to browse the events obtained from your InsertionIP during that time period.

            • Re: create a query for specific events
              njoylif

              if using a syslog server w/ agent rather than the systems sending directly, you'll use "detectionIP" for source.  filter by those and see what information you get from there to drag and drop "fields" highlighted..."InferenceRule" or "EventInfo"

              lem.png

              Event Info doesn't appear to be avail (or I'm missing it), but if you start with the IP(s) and filter, then you can determine the rest.

              if too much info just by IP, then sort filter (refine fields) by clicking on 321 and that will order by number of events, drag that event over and click the "="  which makes it "not =".  keep adding until you find what you need.

              ndepth drag and drop.png