Databases Reference
In-Depth Information
Now, let's combine this event type with the users that we tagged as
admin
in the
previous section:
eventtype="failed_login" tag::user="admin"
This will find all failed logins for administrators. Let's now save this as yet another
event type,
failed_admin_login
. We can now search for these events, as follows:
eventtype="failed_admin_login"
As a final step, let's tag this event type. First, make sure the field
eventtype
is visible.
Your events should look like this:
Notice the three values of
eventtype
in this case. We are searching only for
eventtype=failed_admin_login
, but this event also matches the definitions
of
eventtype=failed_login
and
eventtype=login
. Also notice our tagged
user. We are not searching for the
admin
tag, but
jacky
matches
tag::user=admin
,
so the value is tagged accordingly.
Following the steps in the previous section, tag
eventtype=failed_admin_login
with the value
actionable
:
We can now search for these events with the following query:
tag::eventtype="actionable"
This technique is very useful for building up definitions of events that should appear
in alerts and reports. For example, consider the following query:
tag::eventtype="actionable"
| table _time eventtype user
Search WWH ::
Custom Search