Creating custom queries
Predefined queries searches the audit store database for sessions that meet the specific criteria. To see the search criteria, right-click a query, select Properties, then click the Definition tab.
You can write your own queries to search for sessions that meet specific criteria of your choosing. The following example illustrates how to build a query that finds all of the sessions that have been reviewed.
To create a custom query for sessions that have been reviewed:
- Open Audit Analyzer.
- Select Audit Sessions, right-click, then select New Shared Query.
Reviewed Sessionsfor the name of the query and enter a description for the query. For example, type
Sessions that have been reviewed by department auditors.
- Deselect UNIX session as the type of session to include.
- Click Add to add criteria.
review = Reviewedappears in the Criteria field of the New Query dialog box.
- Select Review Status from the Attribute list, select Reviewed, then click OK.
Click Add again.
Select Session Time, select the bottom radio button and Is in, then select this month and click OK.
Verify the Criteria displays both rules, then click OK to complete the query.
After you click OK, the query is listed under Shared Queries.
Click the custom query to get the results.