      I'm not having a lot of success filtering by message text. I'm assuming that filter maps to the column Rule Message that appears on the default Event List component. Usually when I click on an event and then click on a filter it populates the filter with the text that exists in that event, but that isn't happening so maybe there is no "Message_Text" in this instance?


      I'm looking for any event where something "logged on" When I try to do the regex contains(logged on), I get the error that it is an invalid regex. When I use logged\son, then it finds nothing. right now I'm trying a regex for the last 30 minutes of events contains(o) just to see if contains() works, and it is getting killed performance-wise. I'm gathering that contains(). Isn't very useful either.'

        • 1. Re: Filter by Message_Text

          Message_Text is a "Custom Type" field that is also a non-indexed field by default, so unless you are running 9.3.2 you do not have the option to filter using RegEx on that field.

          You can't change the columns in the Events view (wish you could).


          Selecting a particular event, and then clicking over to a Filter field only works if there is data in that field, and if you are selecting the correct type of view/window.


          From Events drill down from Event Summary, when an event in the events view is selected, you can click in to Source or Destination IP and it populates, but not for Source or Destination User, or If you select the Event Summary, you can click and populate the Signature ID or Device Type ID, etc...


          I reviewed the windows message "An account was successfully logged on" and there is not anything mapped to "Message_Text" (in our system).


          We have several data sources mapping to this field (ePO, AS400, etc)

          • 2. Re: Filter by Message_Text
            You can't change the columns in the Events view (wish you could).

            In Design mode in a View you can drill down to events - i.e. create an Events View - and then add and remove columns to your hearts content by edititng the filter for that View panel. It's the Fields settings from memory.




            • 3. Re: Filter by Message_Text

              We are on 9.3.2. As you can see above there is valid data in the Rule Message field. I click Message_Text in the filter, it still does not populate. If there is nothing mapped to Message_Text then what is the proper filter that should be utilized for Rule Message? I was thinking that the filter name and the column name not matching was just a fluke, if it is not, where is Rule Message.



              I certainly can create a column in the events view. Try it out. Very handy.

              • 4. Re: Filter by Message_Text

                See my screenshots, I have included one from ePO and one from an AS400 that both have the "Message_Text" custom field mapped, versus the Windows "An account was successfully logged on" which does not.

                The "Rule Message" is from the "Description" tab, it is the Vendors description of the event ID.

                ePO Message.png


                Rule Message - 2.png

                Rule Message.png

                • 5. Re: Filter by Message_Text

                  Philip Waters wrote:



                  I'm looking for any event where something "logged on"


                  Have you looked at filtering on Normalized ID?


                  Filter = Normailized ID -> Authentication -> Login