In this second post we’ll build upon those concepts, and try some slightly more elaborate filters in Operations Management Suite.

So we left the other post with a query like

EventLog=Application OR EventLog=System

Since we haven’t specified additional filters, this query will return the entries for both event logs for ALL Computers that have sent such data

Clicking on one of the fields/filters will narrow down the query to a specific computer, excluding all other ones; the query would become something like

EventLog=Application OR EventLog=System Computer=SERVER1.contoso.com

which, as you’ll remember, given the implicit AND, is the same as

EventLog=Application OR EventLog=System AND Computer=SERVER1.contoso.com

and gets evaluated in this explicit order – look at the parenthesis

(EventLog=Application OR EventLog=System) AND Computer=SERVER1.contoso.com

Now, just like for the event log field, you can bring back data only for a SET of specific machines, by OR’ing them

(EventLog=Application OR EventLog=System) AND (Computer=SERVER1.contoso.com OR Computer=SERVER2.contoso.com OR Computer=SERVER3.contoso.com)

Similarly, this other query will bring back % CPU Time only for the selected two machines

CounterName=”% Processor Time”  AND InstanceName=”_Total” AND (Computer=SERVER1.contoso.com OR Computer=SERVER2.contoso.com)

Now, it should be enough with Boolean operators.

Let’s look at something else: with datetime and numeric fields, you can also search for values GREATER THAN, LESSER THAN OR EQUAL, etc – we use the simple operators  >, < , >=, <= , != for this.

For example I can query a specific event log for just a specific period of time, i.e. the last 24 hours can be expressed with the mnemonic expression below

EventLog=System TimeGenerated>NOW-24HOURS

Sure, you can also control the time interval graphically, and most times you might want to do that,

but there are advantages about including a time filter right into the query:

  1. it works great with dashboards where you can override the time for each tile this way, regardless of the ‘global’ time selector on the dashboard page (Stas already described why this is useful)
  2. it will be great once we have scheduling of queries to use in a monitoring fashion to periodically ‘keep an eye’ on certain things or KPI’s

When filtering by time, keep in mind that you get results for the INTERSECTION of the two time windows: the one specified in the UI (S1) and the one specified in the query (S2).

This means, if the time windows don’t intersect (i.e. UX is asking for ‘this week’ and the query is asking for ‘last week’) then there is no intersection and you get no results.

Those comparison operators we used for the TimeGenerated field are also useful in other situations, for example with numeric fields.

For example, given that Advisor Legacy Configuration Assessment’s Alerts have the following Severities: 0 = Information , 1 = Warning , 2 = Critical. You can query for both ‘warning’ and ‘critical’ alerts and exclude informational ones with this query

Type=ConfigurationAlert  Severity>=1

Last but not least, we support range queries. This means you can provide the beginning and the end of a range of values in a sequence. Example: Show me the Events from the Operations Manager event log where the EventID is greater or equal to 2100 but no greater than 2199 (these would be Health Service Modules errors mostly around connectivity issues with Advisor, BTW)

Type=Event EventLog=”Operations Manager” EventID:[2100..2199]

[Note that for the range syntax you MUST use the ‘:’ colon field:value separator and NOT the ‘equal’ sign, enclose the lower and upper end of the range in square brackets and separate them with two dots ‘..’]

Thanks to