Objective: Give tips to Savision iQ users to help improve their searches and saved searches.
Note: This article is written as of V2.5.1.
When typing in a search, realize while you may be on a certain tab, searches will look across all tabs. This allows for you to add a simple search, then switch to one of the other tabs to see the information there. Also Searches work with the Filters for each tab. Be mindful of this. Example: If you are looking for an object that is currently being monitored in SCOM, but you are only allowing the SolarWinds integration, then “no results” will be shown. Each tab currently has its own Filter. So it is possible to set these differently.
As a best practice is it good to clear all previous searches when you start a new search. To do this, simply click on the X on the right hand side of the search bar.
Matches to the search will be highlighted in YELLOW. Searches look across all data contained in iQ. This means it will look for not only the areas you normally see, but into the raw data of the Components, Alert, or Incident. This could explain why it you don’t see anything highlighted in Yellow on the main window. If you look at the raw data, then you will see where the it matched the information.
Generally the searches must match the pattern given. This is true for just about any search. For the most part we don’t need to worry about case. That isn’t always the case and will describe that later on in this article. Also you can add the following terms to include or exclude results ( AND, NOT, OR, TO). Examples.
| Search | Results | Note |
|---|---|---|
| sql | ms-sql SQL-svr01 | NOT: sqlsvr01 or Devsql only results were sql is a word by itself |
| *sql* | ms-sql and sqlsrv01 | any results where the letters sql or SQL exists in any raw property field |
| dc?3 | dc03 dc13 DCX3 | Single character wild card. |
| [192.168.1.101 TO 192.168.1.120] | Any ip address in that range | Way to find a range of components |
| [dc02 TO dc10] | any object within that range, ie DC05, DC06 | Ranges don't need to just be numbers |
| iq AND "Hard Disk" | Returns anything that has both. Great when trying to narrow down to the hard disk on the iq server | If it doesn't have both criteria then it will not return anything. |
| iq OR "Hard Disk" | Will return all results with both terms | |
| iq AND ("Hard Disk" OR NTFS) | Returns results that have IQ AND either "Hard Disk" or NTFS | Parentheses ( ) can be used to group certain parts of you query together. |
Now there are certain characters that are reserved. You will not be able to search specifically for these characters unless they are in quotes as part of a direct search.
+ – = && || > < ! ( ) { } [ ] ^ ” ~ * ? : \ /
For the most part, you should be able to search for just about anything without to much trouble. It is all about defining what you want to search for. There is one case where you may have a search term that you specifically want to see it in one of the raw property fields. However if you search for that term, you end up with too many results. Example searching for Alerts with a Priority of HIGH. Searching for the term HIGH is most likely going to give you multiple results. There is a way to target just the priority field.
To do this first browse to any component/alert/incident and click on it to open up the side panel.
If you move your mouse over the property field, a hover over will appear with the exact field name.
Now that you have the field name, you can target just that field. The field is relating to a certain integration. In this case it is coming from a SCOM alert. in order to target this alert, you can use the following:
source.scom.Priority:HIGH
When it comes to targeting the field name, you have the proper case and formatting. It will always be “source” period <integration> period <field name> colon <search>. Here is where things get a bit tricky. There will be times you find the field name has a space in it. Example “IP Address”. In this case you will need to use an escape (“\”) from the search to add a space. Example: source.scom.IP\ Address:192.168.1.100
To make life more interesting, each integration has its own label. So source.solarwinds.IPAddress:192.168.1.100 will return no results because the SolarWinds label is actually “solarWinds“. Therefore if you wanted to target this correctly it would be source.solarWinds.IPAddress:192.168.1.100
Here is a list of the available integration names you can use:
| Integration | Field Name |
|---|---|
| SCOM | scom Example: source.scom.Display\ Name:test |
| SolarWinds | solarWinds Example: source.solarWinds.IPAddress:192.168.1.100 |
| PRTG | prtg Example: source.prtg.Host:*.savision.int |
| AWS | aws Example: source.aws.RegionDisplayName:"US West" |
| Azure | azure Example: source.azure.state:stopped |
| ServiceNow | serviceNow Example: source.serviceNow.number:INC0010021 |
| TOPdesk | topdesk Example: source.topdesk.number:"M1812 178" |
| VMWare | vMwarevCenter Example: source.vMwarevCenter.hostId:"host-24" |
| WhatsUp Gold | whatsupgold Example: source.whatsupgold.DeviceId:28 |
| CA APM | caapm Example: source.caapm.manModCurrStatus:1 |
| Cherwell | |
| Cisco Prime | |
| Ivanti | |
| Jira Software | |
| Nagios | |
| Office 365 |
NOTE: There is a way to test if a field exists. Simply using the “_exists_:” will search for any component/alert/incident if the field exists. Example: _exists_:source.scom.Priority. This is only testing and showing objects with that field name. Keep in mind if you look in the side panel you might not see that value as we are only showing fields that have data in this area. The field name may exist for that component/alert/incident, just not have any data, but this is a good way to at least test that your field name part of the query is correct.
Hopefully this helps you with your searches in Savision iQ. If you have any problems, or need some assistance, please contact support@savision.com
