Easy Microsoft Operations Management Suite Search queries

Summary: MS OMS generates a lot of useful data. This posts introduces how you can gain actionable insights quickly and easily by using the Search feature.

Good morning everyone. Ed Wilson here, and today I want to talk about the powerful Log Search feature in Microsoft Operations Management Suite.

Note This post is part of a seven part series about using MS OMS Search. The series includes:

• Easy Microsoft Operations Management Suite Search queries
• Accessing different data types in Microsoft OMS Search
• Filter data returned by Microsoft Operations Management Search
• Filter more data with Microsoft Operations Management Suite Search
• Query event log data with Operations Management Suite Search
• Use Microsoft Operations Management Suite search to track shutdown events
• Using Microsoft Operations Management Suite Search Strings

 

Search interface in MS OMS

I access Log Search directly from my Overview console, and I am greeted with the Search interface. There are three key areas I want to pay attention to:

1. The time frame (by default it is 7 days, but as we will see, I can change this)
2. The area where I type my search query
3. The actual search icon

These areas are shown here:

Search by string

Many of the logs are full-text indexed. This includes fields such as Description or Name. Obviously, not all fields are indexed for a full-text search because it doesn’t make sense and that would be a big overhead—but the more useful fields are indexed. This makes it easy to do a quick full-text search without incurring a big performance hit.

For example, the other day I noticed that when I was reviewing my AD assessment (see Use Operations Management Suite for Active Directory assessment), I ran across a number of systems that had blank passwords for some of the accounts. So this might be a good query to start with.

Note   When beginning search queries on MS OMS, it is a good idea to query where you have a good idea of the data to be returned. This can help you have confidence in the returned results and know that you are getting the syntax correct.

All I need to do is type blank passwords in the Search box and select the search icon. When I do, it takes a few seconds and then I see the results. The following results page tells me that two types of data returned: data from the SQL Server assessment and data from the Active Directory assessment. There are a total of six results from the past week, and of these, four are from the SQL assessment and two are from the Active Directory assessment.

Now it is a simple matter to dive into either type of result. For example, I can click SQLAssessmentRecommendation and look at the four records in more detail. When I do, I am presented with four results. In addition, notice that my search query was automatically changed for me. Now instead of “blank passwords,” the search query shows “blank passwords Type=SQLAssessmentRecommendation.”

I can also tell that in addition to my SQL assessment, I have one recommendation, and that is to remove logins with blank passwords. But this also tells me that all four have passed this recommendation and that it affects three computers. This is actually good news, and there is nothing actionable. This is shown in the following image:

If I find that the search query is useful, I may want to save it. I can do this by clicking the Save button at the bottom the screen. When I do, the Save Search dialog box appears. I give it a name and assign it to a category:

I can then easily find my search query via the Favorites button that is next to the Save button. I don’t have to type the entire name of my saved search; all I need is enough to bring it to the list. Here you can see that my saved search appears near the bottom the page:

Another great way to retrieve my searches, is to use the History button. I use this when I am playing around trying to get my search syntax the way I want it. I may go through several iterations of the same query before it returns the subset of data that I want. I can use Search History to permit me to find a query I ran earlier and compare the search results with more recent permutations.

All I need to do is pick a search query from the history and it will execute the query for me. If I like the results, I can save it. The following image shows the Search History box:

That is all I have for you today. Join me tomorrow when I’ll talk further about using the Search feature in Microsoft Operations Management Suite.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Ed Wilson
Microsoft Operations Management Team

Comments

• Anonymous
  November 28, 2016
  Hi, I'm trying to write a search query to filter all VMs in a given Azure resource group. Simple? Apparently not. The search finds something in my given Resource group, but nothing to do with resources, including VMs. Any help, appreciated. Thanks.