Search Messages screen

The Search Message screen is the first screen displayed when you select the Messages tab at the top of the display. This screen is the entry point to the high-speed GenDex search engine that allows you to search large numbers of messages by keyword. On this screen, you can view the list of all received messages, displayed in reverse chronological order. You can search for data, inspect keywords, or manually add messages to the system log. A depiction of this screen is shown as follows:

The preceding screen is the first screen that is accessed when you click the Messages tab and provides access to all the messages contained in the entire system. The list of messages contains the following fields:

Message Time—The first column shows the message time, including both the date and time (with respect to the BMC Defender Server platform server time), and including the elapsed time since the event occurred.

Message Address—The next column shows the name of the device that generated the message. The name is hyperlinked to the Device Information screen (discussed further as follows).

Message Facility—The next column shows the syslog facility for the message. These facilities are also viewable using the Facilities screen.

Message Content—The last column shows the message contents, including the severity. The color used to display the event message can be configured using the Configure Color Editor screen (discussed further as follows). You can click on the Details link to view detailed information about the message.

Search screen controls

At the top of the display are controls that allow you to filter the list (thereby searching for specific keywords). You can also set the maximum page size, as well as access pages using hyperlinks. The Start Date defaults to the latest date when messages were last received (normally the current date if the system is actively receiving messages). This Start Date item can delimit the search range, and items displayed.

To modify the Start Date, Span Days, Max List, or other setting, the operator makes adjustments and clicks the Apply option. This refreshes the screen with the latest settings. Clicking on the tab option also refreshes the screen, but sets the Start Date, Span Days, Max List, and Filter settings back to their entry defaults.

Search function and search terms

On the Search screen, messages are displayed in reverse order from when they were received, with most recent events first.

By default, the screen displays all events. (The match pattern is the (*).) The operator can modify the search pattern to be one or more keywords or a keyword followed by a , or an IP address. This displays all the matching messages on the system.

If the keyword is a number or an IP address, the screen displays the messages associated with the first IP address matching the search term. If you select a partial keyword the screen finds the first matching full keyword and performs the search using that keyword.

Types of search

To the left of the Match Phrase field at the top of the display is a Search Type setting; this setting can modify the type of search algorithm used to search the data. The default setting of Default first tries to perform an Indexed search (keyword search), and then performs a Non-Indexed search if no results are found. Other settings can force a non-indexed search, and can permit a search using a complex regular expression. The operator can click the Help link to the right of this control to receive additional help on the search types.

The following Search Type modes are available via the drop-down menu next to the Apply option:

Default—This is the default search mode that is selected on entry. The system first scans unindexed lines and then uses an indexed search to locate the user-specified Match Phrase data. If there is no indexed data, then a non-indexed search is used to locate the data. This is often suitably fast but can be slow if the system is receiving a large amount of data and a lot of recent unindexed data exists on the system.
Indexed—This search mode is similar to the default search mode, except the system does not scan any unindexed lines and never performs a non-indexed search. This is useful to speed up searches of historical data (especially if the system is receiving a lot of real-time data, and hence, there are a lot of unindexed messages in the system.) Otherwise, the Default and Indexed search types are very similar.
Non-Indexed—This search mode uses an entirely different method of searching the data (from the Default and Indexed search modes as described). The system launches a background process to scan the log data in the specified time range, and makes no use of the data indices. The screen periodically updates (every 15 seconds) to display the latest data that matches the user-specified match phrase. This search type is very rigorous but can be potentially slow.
Expression—This search mode is similar to the Non-Indexed search, but permits you to specify a complex match expression (such as those found on the Correlation > Threads screens and other locations in the system.) See Expression Help for more information.

Wildcards

The Default, Indexed, Non-Indexed modes all search for an exact phrase entered by the user. The phrase can include a wildcard character such as ( * ) or ( ? ), but the phrase must otherwise match the order of the words. Conversely, the expression match permits a more complex pattern, parenthetically nested, including AND, OR, NOR and XOR operators.

Notes

The special ( * ) match phrase (the default value) always lists all messages for the specified time range, useful for seeing the general activity for a selected time.
A completely different forensic search facility exists, available via the Reports > Query screen. This alternative search facility provides the most rigorous type of search for system data and provides additional tools useful for more complex forensic searches and analysis.

Search these results link

Once the operator has acquired a list of messages, the operator can further search the results using the Search These Results link at the top the screen. This permits an additional match pattern to be specified, and permits you to limit the search to a range of messages of a specific severity. The search terms can be complex BMC Defender patterns. Only the search results that have been acquired (by the main match pattern) is searched.

Search screen, special notes

The keyword item, used to filter the display, defaults to (*), that matches all events. For an Indexed type search, the keyword must begin with two non-numeric characters or an IP address.

To view new messages as they arrive at the system in real-time, the operator clicks the screen tab or clicks the Apply option. This refreshes the display showing the latest message information. When the user pages through the display (using the hyperlinked page options) new events are not shown. This assists in reviewing historical information without having the display constantly scrolling,that is particularly important if the BMC Defender Server is logging many messages.

When performing a Non-Indexed or Expression type of search, the system initially attempts to locate the data, but then creates a background process to further search the data (that might take some time, depending on the Span of data to search). When running this type of search, you can periodically refresh the display or terminate the background search using special controls that appear at the top of the screen.

Note

This screen uses an indexed search engine, that permits rapid searches of large amounts of data. The searches always start at the specified Start Date, and that particular pull-down menu can be used to confine the search to a particular time range and before. This allows an operator to limit search results to data collected from an earlier date.