I see from the control center > Event Configuration that there are many
fields that don't appear in the GUI > Tips link. One such field is:

Field Name: EventID
Field ID: id
Field Description: A unique ID associated with each individual event
that is generated or received by the Sentinel system.

We have internally developed a plugin (used in action) that will write
event information to an XML file that is used with our ticketing system.
We use this to create correlated rules as a ticket.

the only way I can link one ticket with events in the system are by this
field called "EventID". I've also got a value for it however when I
perform a search as "id:<Unique_Event_ID>"; I get an error that reads:

"Invalid search filter: Cannot parse 'id:<Unique_Event_ID>': Expression
id:<Unique_Event_ID> in Lucene query is invalid. Field name 'id' is
invalid. See Search tips for information on constructing valid

Is there an easy way to make the field "EventID" searchable using


pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=51550