none
Event Log Rule -- Multiple Event IDs RRS feed

  • Question

  • Hi All,

    I am creating a rule that looks at a server's application event log.  I am setting the Event ID equals <value>.  Can I put multiple event IDs in the same value field as opposed to having to create multiple Event ID equals expressions?  For example:

    Event ID equals 45,46,78

    instead of 

    Event ID equals 45

    Event ID equals 47

    Event ID equals 78

    When I try to use a comma as a value separator, the rule no longer seems to work.  Suggestions?

    Thursday, March 3, 2016 5:15 PM

Answers

  • have it use matches regular expression (45|47|78).

    Paypal me if that helped. ;-)


    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Thursday, March 3, 2016 8:03 PM
    Moderator

All replies

  • have it use matches regular expression (45|47|78).

    Paypal me if that helped. ;-)


    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Thursday, March 3, 2016 8:03 PM
    Moderator
  • When I add the "|" between event IDs, the rule ceases to work.
    Friday, March 4, 2016 2:56 PM
  • Ok, so it might be that the field cannot accept regular expression.  You could try to use log parser on the events and find out what parameter the id is, if it is a parameter.  If it is, figure out what parameter they all are, if the same, then do Parameter 1 matches reg expression, with the same reg expression, that should work.

    Otherwise, you are kind of hosed, and will have to create several different event rules for each event id.

    I have run into that, but usually when I am doing group calc for an instance group.  The field will let you select reg expression, but it won't work.  Bug or not, not really sure, didn't care to waste to much time on it.


    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Monday, March 7, 2016 9:15 AM
    Moderator