I'm trying to create a scheduled task that occurs on a certain event that is triggered. I can create a rough filter by application and event id but as usual the application has many different errors with the same id number (not a surprise there!) Therefore I need to include some text or keywords in the filter to narrow down the criteria. Unfortunately the keyword option does not appear to be free form text but I can only select individual pre-setup choices - none of which match my requirements. Pressing F1 to get help and then searching for keywords comes up with NO hits whatsoever. I have a screenshot at http://www.flickr.com/photos/absoblogginlutely/5011233833/ that shows the keyword selections - I want to filter on the text [BIPP] Connection failed.

Hi, I cannot find a way to do this through the UI interface either. You may consider editing query manually by editing XML. Tim Quan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Any update?

Thanks Tim, Well I'm glad to see I'm not alone in not being able to do it through the UI ;-) Any pointers to doing it through the XML? I'll take a look back at this issue later today when I'll be working on this server in question....

Well it wasn't as easy as I hoped but I eventually got there. The event that I was trying to filter out looks like the following in the xml view <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event "> <System> <Provider Name="BlackBerry Policy Service" /> <EventID Qualifiers="45055">20000</EventID> <Level>3</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-09-21T10:02:00.000Z" /> <EventRecordID>287944</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.com </Computer> <Security /> </System> <EventData> <Data>[BIPP] Connection failed</Data> </EventData> </Event> I was able to use the following filter to filter down to the Application Events for Blackberry Policy Service that were warnings and event 2000 with the text "[BIPP] Connection Failed " <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[Provider[@Name='BlackBerry Policy Service'] and (Level=3) and (EventID=20000)]]and *[EventData[Data="[BIPP] Connection failed"]]</Select> </Query> </QueryList> It doesn't look like it is possible to put wild cards in which is a shame, but for my case it works. (although I'm now having to work on getting my script to fire correctly *when* this event is triggered rather than IF it exists in the event log.

This is exactly what I was looking for, but what would the context be if you were only looking for one word inside the EventData-> Data area? For example, the EventID I am looking inside, has about 3 pages of text that is varied between the different servers. I want to look inside that for the word degraded, or failed. <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[Provider[@Name='IAANTmon'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=7500)]] and *[EventData[Data and (Data="Degraded")]]</Select> </Query> </QueryList> I tried this, and it did not work, so any recommendations or suggestions would be appreciated.

obviously, the above, I was only looking for degraded, because I wasn't sure if I could create an and / or command within XML. So I had the exact same code as above but replaced degraded with failed and had it as a seperate trigger.