Filter Bloks

You can create filter Bloks that contain one or more filters.

Each filter comprises one or more terms. A filter Blok supports valid EQL or SQL statements.

You can have one or more filters in a Blok. If you realize that you need to add another filter to the existing Blok, you can add more filters or build another Blok. Multiple Bloks of different types can be used in a single search query. For detailed information about valid filters, see FILTER Statement.

Example

Create a filter Blok and use it in a search query:

Create and save a filter Blok that includes sys_deviceType='Other UNIX' AND sys_body like '%security%'. Now when you run a query using this Blok, only events with Other UNIX and security are retrieved.

Use this filter Blok and add another element or filter to it, for example, type sys_deviceType='Cisco ASA' to the same query to create a more complex query. For example, filter.Blok name AND sys_deviceType='Cisco ASA'. Now when you run a query using this Blok, events with Other UNIX, security, and Cisco ASA are retrieved.

Contents

Index

Search Results

Filter Bloks

Example