Event selection criteria
To view the event selection criteria, select Configuration > Event Policies and click Create.
When you click in the Event Selection Criteria box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection.
The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. Use the No Bracket (default) option to specify criteria conditions in a simplified manner. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional.
For more information about slot data types and event operators, see Slot-data-types.
Click 
to specify multiple classes in the selection criteria. You can specify a maximum of 5 event classes. The multiple class conditions in the selection criteria are separated by using the OR operator.
Sarah is an administrator at Apex Global. She has to create a separate event policy for each class if she wants to use the same policy configuration across different event classes. Creating these policies is a tedious task because the event class count is huge. She can click in the event selection criteria to specify multiple classes, use the policy configurations across these classes in a single policy, and reduce the time that she used to spend creating separate policies for each class.
Click Preview to view existing events that match the event selection criteria. With event previewing, you can fine-tune the event selection criteria before a policy is applied to events. This way, you can process specific events based on your business requirement. The preview displays the event count of only existing events that are not closed. A maximum of five events are displayed in the preview and sorted according to the event modification time in descending order. You can preview events for multiple event selection criteria conditions. Usually, event policies process only incoming events that match the selection criteria.
Refer to the following example to view the event count and the event preview:
Example criteria: If you specify the following criteria, all the ALARM events that contain "database" in the message and all the PATROL events that arrive from hosts that begin with "clm" and contain "database" in the message are selected and the policy is applied to them.
The green tick mark indicates that the event selection criteria syntax is correct.
For the slot value, you can specify global variables as shown in the following image:
During execution of the policy, the global variable name is replaced with the variable value. For more information about global variables, see Information-sharing-between-enrichment-policies-with-global-variables.
You can also copy the criteria by clicking Copy 
. The copied criteria can be reused in subsequent policies by pressing Ctrl+V in the Event Selection Criteria field.
About specifying the class
A condition based on the class slot must be specified before any other condition. In the subsequent conditions, the list of slots change based on the class specified. The subsequently displayed slots are subclasses of the parent class selected in the first condition.
For example, in the following image notice the list of slots specific to the selected Alarm class.
