In this second post we’ll build upon those concepts, and try some slightly more elaborate filters in Operations Management Suite.
So we left the other post with a query like
EventLog=Application OR EventLog=System
Since we haven’t specified additional filters, this query will return the entries for both event logs for ALL Computers that have sent such data
EventLog=Application OR EventLog=System Computer=SERVER1.contoso.com
which, as you’ll remember, given the implicit AND, is the same as
EventLog=Application OR EventLog=System AND Computer=SERVER1.contoso.com
and gets evaluated in this explicit order – look at the parenthesis
(EventLog=Application OR EventLog=System) AND Computer=SERVER1.contoso.com
Now, just like for the event log field, you can bring back data only for a SET of specific machines, by OR’ing them
(EventLog=Application OR EventLog=System) AND (Computer=SERVER1.contoso.com OR Computer=SERVER2.contoso.com OR Computer=SERVER3.contoso.com)
Similarly, this other query will bring back % CPU Time only for the selected two machines
CounterName=”% Processor Time” AND InstanceName=”_Total” AND (Computer=SERVER1.contoso.com OR Computer=SERVER2.contoso.com)
Now, it should be enough with Boolean operators.
Let’s look at something else: with datetime and numeric fields, you can also search for values GREATER THAN, LESSER THAN OR EQUAL, etc – we use the simple operators >, < , >=, <= , != for this.
For example I can query a specific event log for just a specific period of time, i.e. the last 24 hours can be expressed with the mnemonic expression below
Sure, you can also control the time interval graphically, and most times you might want to do that,
- it works great with dashboards where you can override the time for each tile this way, regardless of the ‘global’ time selector on the dashboard page (Stas already described why this is useful)
- it will be great once we have scheduling of queries to use in a monitoring fashion to periodically ‘keep an eye’ on certain things or KPI’s
When filtering by time, keep in mind that you get results for the INTERSECTION of the two time windows: the one specified in the UI (S1) and the one specified in the query (S2).
Those comparison operators we used for the TimeGenerated field are also useful in other situations, for example with numeric fields.
For example, given that Advisor Legacy Configuration Assessment’s Alerts have the following Severities: 0 = Information , 1 = Warning , 2 = Critical. You can query for both ‘warning’ and ‘critical’ alerts and exclude informational ones with this query
Last but not least, we support range queries. This means you can provide the beginning and the end of a range of values in a sequence. Example: Show me the Events from the Operations Manager event log where the EventID is greater or equal to 2100 but no greater than 2199 (these would be Health Service Modules errors mostly around connectivity issues with Advisor, BTW)
Type=Event EventLog=”Operations Manager” EventID:[2100..2199]
[Note that for the range syntax you MUST use the ‘:’ colon field:value separator and NOT the ‘equal’ sign, enclose the lower and upper end of the range in square brackets and separate them with two dots ‘..’]