Searching and querying message data

One of the main purposes of BMC Defender Server is to locate message data that matches a specific pattern, keyword, or characteristic. This is typically one of the first things that BMC Defender Server is used for, after installation. BMC Defender Server provides various facilities and screens that allow you to search for message data immediately.

• Messages > Search facility—BMC Defender Server implements a high-speed indexed search function that is accessed by using the Search hyperlink at the top of the screen, or by clicking the Messages > Search tab. The Search facility allows you to quickly review large amounts of data to locate messages by indexed keyword. This is the fastest way to search for data on the system but requires you to start the search with a message keyword. Keywords are automatically derived from incoming messages and include any word used in any message that does not contain special characters or numbers. A list of current keywords is available on the main Search screen. Various modes of searching are described in Using BMC Defender Server applications.
• Reports > Query facility—BMC Defender Server implements a more rigorous (but slower) search facility that is accessed by using the Query hyperlink at the top of the screen, or by clicking on the Reports > Query tab. The Query facility meticulously goes through all messages on the system (identified by a selected range) and compares each message to a potentially complex match pattern. The Query facility runs in the background, maintains a history of queries. Although the Query facility is not as fast as the Search facility, the Query function allows you to search for messages that consist of logical combinations of keywords, wildcards, numeric text, and other qualifiers.
• Correlation > Threads facility—BMC Defender Server allows you to classify and catalog incoming data by a variety of criteria, including match pattern, device group, the facility code, severity, etc. These messages are classified as BMC Defender Server receives them, in real time. Within each catalog, you can search for data (to some limited extent, defined by the Max Non-Indexed Search parameter, found on the Messages > Config > Parms screen, by default 100,000 messages.)  Various predefined catalogs exist, including catalogs by device, username, facility, and severity. BMC Defender Server threads operate in a manner identical to these predefined catalogs, except the classifications are completely user defined.

These facilities are easy to get started with. The operator can click the Messages > Search tab (or Query hyperlink, found in the upper right corner of the web screen) to immediately access the message data and begin viewing and searching real-time data being received by the system.