Log Source Picker
Instead of using data model names in the Advanced Search query, you can select log sources from the log source picker, and a query including the selected sources is generated for you. You can also use filters to create a dynamic rule to generate the search query.
The generated query includes the
system
data model and a filter for the selected log sources. For example:
USE system | sys_device IN ('::ffff:198.51.100.2_otherUnix','::ffff:198.51.100.3_otherUnix')
USE system | DeviceInGroup("All Other Unix") OR sys_device = '::1_logapp'
USE system | sys_concentratorId IN ('198.51.100.2', '198.51.100.30')
Limitations
The log source picker in Advanced Search has the following limitations:
- Even if you have access permissions to Remote Appliances in a Management Station setup, you cannot specify a Remote Appliance in the log source picker and then select the log sources created on that appliance.
- In the generated query, only the system columns are displayed in the results and in the Columns panel, and you can filter the results by the system columns. To make other data model columns available for filtering or parsing, you must replace the
system
data model with the appropriate one in the search query. For example:USE Other_UNIX | sys_device IN ('::ffff:127.0.0.1_otherUnix','::ffff:10.128.132.92_otherUnix')
For steps about using the log source picker and creating a dynamic rule, see Selecting Log Sources.
Subtopics