Search Filter Options

You can use various types of search expressions when adding a search filter.

Search Filter Comparison
Filter type Search criteria Use predefined RegEx filters? Where the filter is used
Use Words A word, or two words with AND/OR Yes RegEx Search, Alerts
Use Exact Phrase A phrase Yes RegEx Search, Alerts
Regular Expression Regular expression Yes RegEx Search, Alerts
Boolean Expression Keyword search using Boolean expressions No Index Search and Index Report
Note: Custom reports allow whichever filter types apply to the content of the custom report. For example, a custom report saved from an Index Search allows Boolean search filters. When creating a search filter to be used for Index Search or index report, ensure that you choose the Boolean expression as the filter type.

Use Words

Type a word as your search criteria. If you type more than one word, you can use the AND/OR list.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

Use Exact Phrase

Type a phrase as your search criteria. The appliance searches for strings including the phrase you specify.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

You can also define a parameter field using $fieldname. For example, $username $zipcode $phone displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word in the RegEx Search tab. For more information, see Additional Parameters to a Pre-Defined Regular Expression Search Filter.

Regular Expression

Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.

The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters, which are interpreted in a special way (instead of standing for themselves).

Note: Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” use url.domain=loglogic.com.

You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.

Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts or RegEx Search, select the Pre-Defined option.

If you are creating a search filter for an alert, the search filter must be a regular expression.

Boolean Expression

Type a keyword that uses Boolean operators such as AND, OR, or NOT. For example: 

“Portmapped translation built for gaddr” and NOT 155.363.777.53

Boolean expressions can search only indexed data. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.

In addition to entering a keyword, you can also type:

  • Numbers and words that are three or more characters
  • Terms less than three characters, preceded by =. For example, for terms such as user=a or priority=7, 'a' and '7' are indexed.

The Boolean expression should be no longer than 4096 characters in length.