IBM Support

Why the "Event ID" for "Windows Security Event Log" events returned as N/A when searching with advanced search

Question & Answer


Question

Why do I get values of "N/A" when I run an advanced search to look for "Event ID"?

Answer

The "Event ID" field in AQL is interpreted as the custom event property named "Event ID" instead of the normalized property qideventid which comes from the DSM mapping.
"Event ID" (the custom property) will only be parsed out if there is an appropriate expression defined for the relevant events that matches the payload.
To search for the normalized property event id from the DSM, use the qideventid field in the advanced search. For example:
SELECT qideventid FROM events WHERE logsourcetypename(devicetype)='Microsoft Windows Security Event Log' last 15 MINUTES

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS015966230","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
08 July 2024

UID

ibm17148442