Search Filter Options

There are four types of search expressions you can use when adding a search filter.

Search Filter Comparison
Filter Type Search Criteria Use Pre-Defined RegEx Filters Where Filter Is Used
Use Words A word, or two words with AND/OR Yes RegEx Search, Alerts, Real-Time Viewer
Use Exact Phrase A phrase Yes RegEx Search, Alerts, Real-Time Viewer
Regular Expression Regular expression Yes RegEx Search, Alerts, Real-Time Viewer
Boolean Expression Keyword search using Boolean expressions No Index Search and Index Report
Note: Custom reports allow whichever filter types apply to the custom report’s contents. For example, a custom report saved from an Index Search allows Boolean search filters. When creating a search filter to be used for Index Search/index report, make sure to choose the Boolean expression as filter type.

Use Words

Type a word as your search criteria. If you type more than one word, you can use the AND/OR drop-down menu.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

Use Exact Phrase

Type a phrase as your search criteria. The Appliance searches for strings including the phrase you specify.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

You can also define a parameter field using $fieldname. For example, $username $zipcode $phone displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word in the RegEx Search tab. For more information, see Additional Parameters to a Pre-Defined Regular Expression Search Filter.

Regular Expression

Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.

The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters which, instead of standing for themselves, are interpreted in a special way.

Note: Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” you should write url.domain=loglogic.com.

You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.

Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts, Real-Time Viewer, or RegEx Search, select the Pre-Defined radio button.

If you are creating a search filter for an alert, the search filter must be a regular expression.

Boolean Expression

Type a keyword that uses Boolean operators such as AND, OR, or NOT. For example: 

“Portmapped translation built for gaddr” and NOT 155.363.777.53

Boolean expressions can search only indexed data. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.

In addition to entering a keyword, you can also type:

  • Numbers and words which are three or more characters
  • Terms under three characters, preceded by =. For example, for terms such as user=a or priority=7 the a and 7 are indexed.

Your Boolean expression should be no longer than 4096 characters in length.