Searching for alerts in Unity iQ  is easy. Savision iQ automatically collects alerts from all configured monitoring  systems and provides an intuitive way for you to search for alerts.

 

This article will describe how Savision iQ can help you find the alerts you are looking for.

 

By default, when no search terms  are provided, Savision iQ presents all alerts, sorted by last modified time.   Once a search term is provided, only the alerts that match the search term will  be presented, sorted by search score.  Search score is determined by how  well the details of the alert match the search term that was specified.

 

There are four ways to search for  alerts in Savision iQ.  

 

1) Select a Source

 

Click on the ‘Source’ drop-down  menu.  This will present the types of monitoring systems that Unity iQ  natively supports, such as SCOM or SolarWinds.  Select a monitoring system  type.  Only alerts from that monitoring system type will now be shown.

 

2) Select ‘From’ and ‘To’ Dates

 

Click on the ‘From’ and/or ‘To’  date selection fields, and choose dates as desired (The ‘To’ date selection  field defaults to today).  Only alerts that have been modified within that  date range will now be shown. 

 

3) Select a Column Filter

 

Click on the menu (three  horizontal bars) for the column you would like to use as the basis for your  filter.  Click Filter, select the desired expression, and provide the  desired filter text. Only alerts that match the specified filter for that  column will now be shown.  

 

4) Provide a Custom Search

 

Searches are made up  of terms and operators. A term can be:

· A single word, such as server

· A phrase surrounded by double quotes, such as "cannot  authenticate"

Operators  modify the terms to help structure your search. The following sections  describe the available operators.

 

Field  Names

You can  search for a term in a field, like resolution:closed or message:"cannot  authenticate".

You can  also use Boolean operators in your field names. This is an example of OR in  use: resolution:(closed OR acknowledged).

Nested  properties can be searched on in the alert. alertObject.\*:component will  search for the term "component" in the properties  alertObject.entityType, and alertObject.caption.

_missing_:acknowledgedBy will  look for alerts where the acknowledgedBy property is empty or missing. _exists_:acknowledgedBy will  return alerts where the value for this property is not null.


Wildcards

A  question mark acts as a single-character wildcard:

ip:192.168.1.1?1 will  only return a maximum of 10 results, finding results where the ? is in place of  a single character. 

An  asterisk acts as a 0-or-more wildcard:

ip:192.168.1.* will  return the full list of matching IP addresses in this range. As an example, it  will return 192.168.1.4 and 192.168.1.255

NOTE: It  is a heavy operator to begin a term with an asterisk (e.g. *ing). We do  not recommend performing similar searches.


Regular  Expression

You can  use RegEx searches by wrapping them in forward slashes. For example, /[MK]bps/


Fuzzy  Searches

Humans  make mistakes, and a term may be spelled wrong in an alert. Adding a ~x to the  end of your term allows you to search for x characters that are inserted,  deleted, substituted with a single character or transposed with an adjacent  character. For example performance~2 will find preformance,  peformance, and performanve. If x is not set, it defaults to 2. 


Proximity  Searches

A  multi-word version of the fuzzy search deals with whole words that are  inserted, deleted, or substituted. "server name"~ will  find "name of server". 


Ranges

A set of  square brackets act as an inclusive range.

age:[5 TO 60] will  find all results where the age is 5 or higher, up to a maximum of 60.

A set of  curly brackets act as an exclusive range.

age:{5 TO 60} will  find all results where the age is greater than 5 (6 or higher) up to a maximum of  59.

You can  include operators in one-sided ranges, such as age:<5

This also  works with alphabetical searches.

name:[Adam TO  Bert] will list all names alphabetically within this range. This  includes Adam, Alicia, Barry and Bert, but not Aaron or Bob.


Date  Fields

It is  possible to search a field that contains a date by using the format year-month-dayThours:minutes:seconds.milliseconds,  for example 2016-07-23T08:15.39.123. Partial date formats are  supported, for example 2016-07-23 or 2016-07-23T08:15. The  keyword now represents the current time.

Since the  value of a date field represents an instant in time, it is more effective to  search within a range of times. For example instead of using timeRaised:2016-07-23T08:15 to  search for alerts raised at 8:15 am on July 23, 2016, you should use the range  search timeRaised:[2016-07-23T08:15 TO 2016-07-23T08:16].

It is  also possible to specify a date math expression instead of a specific date. The  expression starts with a date followed by ||, or with  the keyword now, followed by one or more math expressions, for example:

· now-1d represents the current time minus one day.

· timeRaised:>now-10d will report all the alerts  raised in the last ten days.

The  supported time units are: y (year), M (month), w (week), d (day), h (hour), m (minute),  and s (second).


Strings  with Spaces

When  searching on a property for a result that has spaces in it, you can wrap your  string in a set of double quotes.

message:not  running will search the message property for "not" and  search all properties for "running". Instead, we want to use message:"not  running"


Brackets  and Operators

Brackets  and operators such as AND, OR, and NOT help you craft searches. Suppose I  work for a car dealership and a customer comes to me with a peculiar request for  her next vehicle. She insists it must meet the following criteria:

1. The car can be one of the following:

a. A blue or black Ford

b. A yellow or red Toyota

2. Must be a new car

3. The car must not be a hatchback

Here is  our search:

(make:Ford AND  (color:blue OR color:black)) OR (make:Toyota AND (color:yellow OR color:red))  AND preowned:false AND (NOT style:hatchback)

We group  the make and color searches so they do not interfere with each other. Without  the brackets, our search might end up looking for Toyotas that are black  or blue. Brackets evaluate these terms individually without spilling out into  the rest of the search. We wrap the "NOT" term in brackets to prevent  it from evaluating against the previous term, preowned:false

In  addition to AND, OR and NOT, we can also use + and - for terms that must be  present and must not be present, respectively. 


Reserved  Characters

By  default, the following characters are operators: + - =  && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /

these  characters can also be used as a normal part of your search. You must precede  it with a backslash escape character to do so. To search for the term "D:\",  you must escape the colon and the backslash, like so: D\:\\