Creating a Blok

If you usually search for events that provide you with specific information such as user name or severity, you can create a custom Blok for that criteria and save it for later use.

    Procedure
  1. From the Search page, click the Choose Blok icon located next to the Search field, and select New Blok.

    Alternatively, go to Management > Advanced Features > Bloks and click Create New Blok.

  2. In the Add new Blok dialog box, provide the following information:
    1. Parent Group: Select a parent group where you want to save the Blok.

      You can create a new group or select the User group, or select any user-created group

      Default parent group: When creating a nested group within any 'All' group (for example, All Rules, All Bloks, and so on), the User group is the default group. Otherwise, the current parent group is selected as the default group.

    2. Select the Blok type from the list.
    3. Name: It must be a unique name that consists of a single word with no special characters.
      The Blok name cannot include a period (.).The name can include letters, numbers, hyphen, or underscore (_).
    4. Description
    5. Enter the statement of the source in the Source statement field. Make sure to enter a valid syntax. Filter and Time Bloks support SQL, EQL, and ECL syntax. For syntax information, see:
  3. Click Save.
ResultThe new Blok is added in the Choose Blok list and is displayed in the Search field. It is also displayed on the All Bloks page and in the parent group that you selected.