Use this page of the Create Rule wizard to build an event expression for the rule you are creating.
The Build Event Expression page contains the elements described in the following table.
| Name | Description |
|---|---|
|
Insert |
Enables you to insert an expression value in the Value column of the table. You can also insert the Boolean values AND and OR. |
|
Delete |
Enables you to delete an expression value or a Boolean value from the table. |
|
Formula |
Enables you to view the expression as a formula. |
The table contains the following columns.
| Column | Description |
|---|---|
|
Untitled |
When a row is selected, contains a right arrow that, when you right-click, displays a menu. |
|
Value |
A value that is compared to a second value, according to the defined operator. |
|
Operator |
A drop-down list of the operators you can use. |
|
Value |
A value that is compared to the first value, according to the defined operator. |
 Note |
|---|
| If you do not press TAB after you finish each expression, the value you type in the second Value column does not appear. |
Certain types of rules require specific syntax for event expressions.
- If the data source for the rule is a generic text file, use the
syntax described in the following table.
| Value | Operator | Value |
|---|---|---|
|
Params/Param[1] |
(Select from list) |
(Any value) |
- If the data source for the rule is a generic CSV log, use the
syntax described in the following table.
| Value | Operator | Value |
|---|---|---|
|
Params/Param[#] Where # is the number of the column to search. |
(Select from list) |
(Any value) |
- If the data source for the rule is syslog, use the syntax
described in the following table.
| Value | Operator | Value |
|---|---|---|
|
<facility> |
(Select from list) |
<severity> |
| Note |
|---|
| Facility and severity come from the Unix syslog utility. |
If the Value column contains AND or OR, the menu that appears when you click the right arrow contains the elements described in the following table.
| Name | Description |
|---|---|
|
Insert |
Provides the same options as the Insert button. |
|
Delete |
Deletes the group. |
|
Switch to Or Group or Switch to And Group |
Changes the AND value to OR, or the OR value to AND. |
|
Collapse |
Collapses the rows that make up the group. |
If the Value column contains any value other than AND or OR, the menu that appears when you click the right arrow contains the elements in the following table.
| Name | Description |
|---|---|
|
Insert |
Provides the same options as the Insert button. |
|
Delete |
Generates the same action as the Delete button. |
For any value other than AND or OR, the > button displays the elements in the following table.
| Name | Description |
|---|---|
|
Use known event property |
Enables you to select an event property from a drop-down list. |
|
Use event data parameters |
Enables you to define a parameter. |
|
Parameter Number |
The number of the parameter you want to use. |
See Also
Tasks
How to Create an Alert Generating NT-Event-Log-Based Rule in System Center EssentialsHow to Create an NT-Event-Log Event Collection Rule in System Center Essentials
How to Create a Windows Performance Collection Rule in System Center Essentials
How to Create a WMI Performance Collection Rule in System Center Essentials