How missing values are handled in Filter elements
You can adjust what happens when the Filter element is matched to data that does not contain any value for a field that the filter defines.
By default, log data matches the filter only if all fields in the filter are also found in log data.
Since there are different types of data entries, some entries might not contain any value for some field that a filter contains. For example, an Alert entry warning you that the monitoring connection from a Firewall engine has been lost does not contain any source or destination IP address information. The reason for this is that the entry is not related to traffic processing. If you apply a filter that matches an IP address in the Logs view, the Alert is filtered out of the view. Missing values that cannot be verified as matching or non-matching are called undefined values in the configuration.
To define in more detail how missing fields are handled, you have two options:
- The Undefined value policy setting defines whether log data matches the filter if there are missing fields.
- The Any Value Comparison operation allows you to define specific fields in the filter that the log data must always have. The value that the field contains is not taken into account. Data entries that do not have these fields do not match the filter.
| Setting | Description |
|---|---|
| False by comparison | A Comparison operation is false if log data does not have all fields used in the filter. Depending on the structure of the filter, the log data does or does not match the Filter. For example, if the outermost operation in the filter is AND, the log data does not match the filter if any of the inner operations are false. |
| False by filter | Log data does not match the filter if the outermost operation in the filter is undefined because log data does not have all fields used in the filter. The filter is false. |
| True by filter | Log data matches the filter if the outermost operation in the filter is undefined because log data does not have all fields used in the filter. The filter is true. |
| Undefined | If the outermost operation is undefined because log data does not have all fields used in the filter, the undefined result is passed to
the component that uses the filter. The handling of the undefined result varies according to the component that uses the filter. In most cases, this setting works in the same way as “False by filter”. If the outermost operation is undefined because log data does not have all fields in the filter, the data does not usually match the filter. |
Undefined value policy settings
Figure: Undefined values when matching an event
A filter has the IP destination and Destination port fields. ICMP traffic, for example, does not have the Destination port field. If ICMP traffic is matched with the example filter, the filtering results vary according to the selected Undefined value policy:
- False by comparison — The AND operations are false. As a result, the OR operation is also false. The event does not match the filter.
- False by filter — The AND operations are undefined (neither true nor false). As a result, the OR operation is also undefined. The setting interprets the undefined result as false. The event does not match the filter.
- True by filter — The AND operations are undefined (neither true nor false). As a result, the OR operation is also undefined. The setting interprets the undefined result as true. The event matches the filter.
- Undefined — The AND operations are undefined (neither true nor false). As a result, the OR operation is also undefined. The Undefined setting passes the undefined value to the component that uses the log data. The handling of the data varies according to the component. Most components handle the data in the same way as False by filter, so that the event does not match this filter.