Bloks
To analyze your data faster, you can create different types of Bloks in LogLogic LMI to help you accelerate your search process.
A Blok is a contextual element or filter that fits with other elements to form a search query. Bloks are reusable elements of a query. You can combine any types of Bloks together to create complex queries. Build and save different Bloks that can be used in future searches rather than searching every time with the same filter.
LogLogic LMI supports the following types of Bloks:
- Filter Bloks: contain filter statements, aggregation rules
- Correlation Bloks: contain correlation rules
- Time Bloks: contain absolute and relative time ranges
You can have one or more filters in a Blok. If you realize that you need to add another filter to the existing Blok, you can add more filters or build another Blok.
You can add new Bloks and modify existing Bloks from the Search tab. Similarly, you can manage all types of Bloks. On the toolbar, click the menu.
When entering a Blok name in the Search field, start with the prefix defined for each type of Blok. Content assist can help you by showing all possible values for that type of Blok. The following is a list of prefixes that you can use:
For example, create a Blok and use it in a search query:
- Create and save a filter Blok that has user='joe' AND body like '%security%'. Now when you run a query using this Blok, only events with "joe and security" is retrieved.
- Use this filter Blok and add another element or filter to it, for example, type user='John' to the same query to create a more complex query. For example, filter Blok AND user='John'. Now when you run a query using this Blok, events with "joe and security and john" is retrieved.