Using Distributed Regular Expression Search

Use Distributed RegEx Search to select all configured appliances to run a RegEx search and retrieve the merged results from the Remote Appliances and the Management Station.

Prerequisites

  • Add remote appliances — Refer to the Creating a Management Station Cluster section in the TIBCO LogLogic® Log Management Intelligence Administration Guide.
  • Your administrator must provide access to each of the remote appliances for you to have access to the data on the remote appliances. Access to appliances is provided via the Appliances tab of the User Edit page. For more information about user privileges, refer to the Managing Users chapter in the TIBCO LogLogic® Log Management Intelligence Administration Guide.
    Note: LogLogic LMI v5.4.2 or later must be installed on the Management Station and all Remote Appliances.

Procedure

  1. Select Search > Regular Expression Search from the navigation menu.
  2. For a Distributed RegEx Search you must select All Appliances.
    Note: The Distributed RegEx Search does not support Custom Reports on the Management Station.
  3. Select the Device Type from the list of device types configured on the Management Station.
    If you select All, the Source Device field is disabled.
  4. Select the Source Device.
    If All is selected then logs from both the Management Station and Remote Appliances are returned.

    Search results are based on the device name and is mostly returned from the Management Station. However, if the Management Station and Remote Appliances happen to have the same device name then the logs from both the Management Station and the Remote Appliance are returned.

  5. Define your Search Filter. Select one of the following options and specify the respective parameters.
    • Retrieve All — Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.
    • Pre-Defined — Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each parameter appears. The maximum length for each field is 25 characters.
    • Use Words — Use a specific word(s) as a search parameter.
    • Use Exact Phrase — Use an exact phrase as a search parameter.
    • Regular Expression — Use a regular expression as a search parameter.

      For more information about modifying or creating search expressions, see Index Search.

  6. Specify the Time Interval to search for data passing through your appliance.
  7. Set a time for the search; do one of the following:
    • Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately.
    • Define a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.
  8. Select the Notify me when this search completes checkbox to receive a notification that the search has completed.
  9. Enter a Search Name for the search. If a name is not entered in this field the results are displayed as distributed search <date<timestamp.
  10. To generate the report, click the Run button.
    Note: Only the Management Station appliance can see the merged results from both the Management Station and Remote Appliances. A Remote Appliance can only see its own local results.