Add or edit criteria in Filter elements

You can add new criteria or edit the criteria of Filters that you have created.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Monitoring.
  2. Browse to Other Elements > Filters > All Filters.
  3. Right-click a filter you have created, then select Properties.
    Tip: To edit a filter based on an existing system filter, right-click the filter, then select New > Duplicate.
  4. Select the setting for Undefined Value Policy.
    This setting defines how data entries are matched when a field is included in the filter, but is not present in the entry. For example, a filter defines a range of destination ports, but the operation encounters a log entry from a protocol that does not use ports, such as ICMP.
  5. If there is no logical operation (AND or OR) at the correct level, add one using the shortcut buttons above the editing pane.
    You can nest logical operations to create more complex filters. For example, you can create two AND sections under an OR condition to match either of the two sets of criteria.
  6. To change a logical operation, right-click the operation, select Change To, then select the new operation.
  7. To add a field:
    1. Right-click the logical operation to which you want to add a field, then select New > Select.
    2. Click Fields, then browse to the field group that contains the field you want to add, or browse to All Fields for a list of all available fields.
    3. Select the field, then click Select.
  8. To edit the field:
    1. Right-click the field that was added, then select Edit.
    2. Select the Comparison.

      The available comparison selection depends on the selected field and whether the field already contains one or more values.

      The most common comparisons are:
      • Any Value — Allows you to match any non-empty value in the field.
      • Between — Allows you to match a range (for example, a range of TCP/UDP ports).
      • Contains — Allows you to match any of several alternative values (for example, both an IPv4 address and an IPv6 address).
      • In — Allows you to match a single value (for example, an IP address or Network element).
    3. Depending on the comparison and type of field, define the values that you want the filter to match in one of the following ways:
      • Enter one or more values. For the In or Contains comparison, click Add to add the entered value to the value list.
      • Double-click the empty space in the value list, then select an element.
      • To edit a value that has been added to the value list, double-click the value.
      • To remove a value, right-click the value, then select Remove.
    4. Click Apply.
  9. To remove criteria, right-click the criteria, then select Remove Row or Remove.

    If you select Remove Row, all criteria nested under the row is moved up one level.

    If you select Remove, all criteria nested under the row is also removed.

  10. Click OK.

Filter Properties dialog box (permanent Filter element)

Use this dialog box to create a permanent Filter element that can be used anywhere in the Management Client.

Option Definition
General tab
Name The name of the element.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

 A comment for your own reference.
Undefined Value Policy

Defines how data entries are matched when a field is included in the filter, but is not present in the entry (for example, if a filter defines a range of destination ports, but the operation encounters a log entry of traffic over a protocol that does not use ports, such as ICMP).

  • False by comparison: The AND operations are false. As a result, also the OR operation is false. The event does not match the Filter.
  • False by filter: The AND operations are undefined (neither true nor false). As a result, also the OR operation is undefined. The setting interprets the undefined result as false. The event does not match the Filter.
  • True by filter: The AND operations are undefined (neither true nor false). As a result, also the OR operation is undefined. The setting interprets the undefined result as true. The event matches the Filter.
  • Undefined: The AND operations are undefined (neither true nor false). As a result, the OR operation is also undefined. The Undefined setting passes the undefined value to the component that uses the log data, which interprets the undefined result as false. The event does not match the Filter.
New Select a filter to use. To browse for a filter, select Select.
Undo operation Undoes the last change made.
Redo operation Redoes the last change that was undone.
Remove (Delete) Removes the selected part of the expression.
require all of (and) Adds an AND operand.
require any of (or) Adds an OR operand.
NOT Adds a NOT operand.
Option Definition
Tags tab
Tags table Shows the details of the tags associated with the element.
Name Shows the name of the tag.
Comment An optional comment for your own reference.
Type Shows the type of the tag.
Add Tags Adds a tag to the table.