How to query a specific string in 'unknown devices' at Analysis / Query / Create new query ?
Try to use LSDATA command from database server . Below an example for uknown device. Set correct time. If you know an IP put it insted of * behind : Result would be on d drives.
lsdata -events Syslog -me "put_specyfic_string_there" -time 20120101000000 20120223235959 -devices unknown:* > D:\unknown.txt