Structured Search Operators
Operator | Meaning | Allowed on
Event Attribute Types or CMDB Group |
Example as seen in GUI |
=, != | Compares whether an attribute is exactly identical or not identical to a specified value | All except DATE types | Event Type = “PH_DEV_MON_SYS_CPU_UTIL”
Source IP != 10.1.1.1 |
>, >=, <, <= | Compares whether an attribute is less or greater than a specified value | Numeric types:
UINT16, UINT32, UINT64, DOUBLE |
CPU Util > 10 |
IN, NOT IN | Determines whether an attribute belongs or does not belong to a set of values. For string valued attributes, the match is case insensitive. | All except DATE type
Allows CMDB Groups |
System Event Category IN (3,6)
Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,”PH_DEV_MON_SYS_MEM_UTIL”) Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,Event Types:Login Failure) Source IP IN Devices:Windows, Devices:Unix Destination IP IN Networks:VPN Pool |
BETWEEN,
NOT BETWEEN |
Determines whether an attribute is between a range of values | All except STRING types | Source IP BETWEEN (10.1.1.1, 10.1.1.255)
CPU Util BETWEEN (20.0, 30.0) Event Receive Time BETWEEN (18:35 03/17/2014, 18:35 03/26/2014) |
IS (NULL),
IS NOT (NULL) |
Determines whether an attribute is present or not | All types | Host Name IS NOT NULL |
CONTAINS,
NOT CONTAINS |
Determines whether a string valued attribute contains a specified sub-string.
For Raw Event Log – the sub-string has to contain the beginning of every word For all other string type attributes: the sub-string can be in any position |
STRING | Event Type CONTAINS “DEV_MON” matches “PH_DEV_MON_CPU”
Event Type NOT CONTAINS “DEV_MON” does not matche “PH_DEV_MON_CPU” Reporting Model CONTAINS “dows” matches “Microsoft Windows” Reporting Model CONTAINS “soft win” matches “Microsoft Windows” Raw Event Log CONTAINS “dows” does not match “Microsoft Windows” Raw Event Log CONTAINS “microsoft win” matches “Microsoft Windows 2003” (For more general patterns use regular expressions) |
REGEXP,
NOT REGEXP |
Determines whether a string valued attribute matches a specified pattern. Raw message needs to be UTF-8 encoded. | STRING | Raw Event Log REGEXP “\d+.\d+\d+.\d+”
Event Type NOT REGEXP “PH_DEV_MON_.*” – match events with event types not beginning with PH_DEV_MON |