Filter Bloks
You can create filter Bloks that contain one or more filters.
Each filter comprises one or more terms. A filter Blok supports valid EQL or SQL statements.
You can have one or more filters in a Blok. If you realize that you need to add another filter to the existing Blok, you can add more filters or build another Blok. Multiple Bloks of different types can be used in a single search query. For detailed information about valid filters, see FILTER Statement.
Example
Create a filter Blok and use it in a search query:
Create and save a filter Blok that includes
sys_deviceType='Other UNIX' AND sys_body like '%security%'. Now when you run a query using this Blok, only events with
Other UNIX and
security are retrieved.
Use this filter Blok and add another element or filter to it, for example, type
sys_deviceType='Cisco ASA' to the same query to create a more complex query. For example,
filter.Blok name AND sys_deviceType='Cisco ASA'. Now when you run a query using this Blok, events with
Other UNIX,
security, and
Cisco ASA are retrieved.