Default language.

Event selection criteria

While you create a policy, it is important to select the correct criteria to generate events. Use the following section to learn about the event selection criteria as you create a policy.

 

Related topics

Defining-event-policies-for-enrichment-correlation-notification-and-suppression

Slot-data-types

To view the event selection criteria, select Configuration > Event Policies and click Create.

When you click in the Event Selection Criteria box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection. 

The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. Use the No Bracket (default) option to specify criteria conditions in a simplified manner. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional. 

For more information about slot data types and event operators, see Slot-data-types.

Click Add selection criteria.pngto specify multiple classes in the selection criteria. You can specify a maximum of 5 event classes. The multiple class conditions in the selection criteria are separated by using the OR operator.

Scenario

Sarah is an administrator at Apex Global. She has to create a separate event policy for each class if she wants to use the same policy configuration across different event classes. Creating these policies is a tedious task because the event class count is huge. She can click Add selection criteria.pngin the event selection criteria to specify multiple classes, use the policy configurations across these classes in a single policy, and reduce the time that she used to spend creating separate policies for each class.

Click Preview to view existing events that match the event selection criteria. With event previewing, you can fine-tune the event selection criteria before a policy is applied to events. This way, you can process specific events based on your business requirement. The preview displays the event count of only existing events that are not closed. A maximum of five events are displayed in the preview and sorted according to the event modification time in descending order. You can preview events for multiple event selection criteria conditions. Usually, event policies process only incoming events that match the selection criteria.

Scenario

Sarah is an administrator at Apex Global. She wants to foresee events that are processed by the event policy before it is applied to events so that she can fine-tune the event selection criteria to process specific events based on her business requirement.

Can Sarah achieve this goal?

Yes! Sarah can click Preview for the event selection criteria field on the Create Event Policy screen to preview matching events.

If you have customized the display name of the custom event slots by using APIs, view the display name and the value of the custom event slots in the preview.

Refer to the following example to view the event count and the event preview:

Matching events count.png

Event selection criteria preview.png

Important

  • You cannot directly specify an empty string in the selection criteria. However, you can specify an empty string by using regular expressions (regex) as follows:
    slotName Matches (^$)
    The following list shows the regular expression equivalent for a string:

      • LocationEquals "" : LocationMatches (^$)
      • LocationDoes not equal "" : LocationMatches ^.+$

  • You can specify the event selection criteria by using the caret (^) character at the beginning and the dollar ($) character at the end of the regular expression. However, the event selection criteria preview does not support the caret (^) and dollar ($) characters.

    Click here to view a few examples of regular expressions that are supported
    • Message Matches go*gle
    • Message Matches b[aeiou]bble
    • Message Matches gr(e|a)y
    • Message Matches [b-chm-pP]at|ot
      

  • You can use regular expressions to create non-capturing groups in the event selection criteria. However, the event selection criteria preview does not support non-capturing groups. To learn about non-capturing groups, see regular expression patterns.

  • If you specify multiple classes in the event selection criteria, you cannot use the following criteria as the only criteria to filter events:
    Criteria: Class Equals Event
      
  • While using the advanced filter on the Events page with a condition Class Equals Event, make sure that you do not exceed the maximum limit of 1024 classes. If you exceed the maximum limit, the advanced filter does not return any results for the applied filter.
  • If you have customized the display name of custom classes or event slots of custom classes by using APIs, view and select the display name of the custom classes or custom event slots in the criteria.
      
  • If you specify slots that support multi-line input with the Begins with and Ends with operators, the selection criteria applies to incoming events.
      

  • If you specify the Class slot with an opening parenthesis as the first condition in the criteria, you must use the closing parenthesis to complete the condition. The Class slot must be followed by the AND operator before the next condition.

  • The Anomaly class is not supported for the Class slot in the selection criteria.
      
  • The maximum limit of 32,766 characters for the Event Selection Criteria field includes the length of the incoming event slot data that is used in the event selection criteria. Therefore, if the Event Selection Criteria field exceeds the maximum limit during policy evaluation, the policy evaluation fails, and the policy is not applied to the event. You can see an error under the Others tab on the Event Details page.

Example criteria: If you specify the following criteria, all the ALARM events that contain "database" in the message and all the PATROL events that arrive from hosts that begin with "clm" and contain "database" in the message are selected and the policy is applied to them.

The green tick mark indicates that the event selection criteria syntax is correct.

Multiple class support in event selection criteria.png

For the slot value, you can specify global variables as shown in the following image:

Global_var_in_selection_criteria1.png

During execution of the policy, the global variable name is replaced with the variable value. For more information about global variables, see Information-sharing-between-enrichment-policies-with-global-variables.

You can also copy the criteria by clicking Copy Copy.png. The copied criteria can be reused in subsequent policies by pressing Ctrl+V in the Event Selection Criteria field.

About specifying the class

A condition based on the class slot must be specified before any other condition. In the subsequent conditions, the list of slots change based on the class specified. The subsequently displayed slots are subclasses of the parent class selected in the first condition.

For example, in the following image notice the list of slots specific to the selected Alarm class.

event selection criteria class.png

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*