A Blok is a contextual element or filter that fits with other elements to form a search query. Build and save different Bloks that can be used in future searches rather than searching every time with the same filter. Bloks are reusable elements of a query. You can combine any types of Bloks together, except the correlation Blok, to create complex queries.
- Filter Bloks: contain filter statements, aggregation rules
- Correlation Bloks: contain different correlation rules
- Time Bloks: contain absolute and relative time ranges
- Source Bloks: contain source statements
You can have one or more filters in a Blok. If you realize that you need to add another Blok to the existing Blok, you can add more filters and build another Blok. Only one correlation Blok can be used at a time in a query.
You can add new Bloks and modify existing Bloks from the Search tab. Similarly, you can manage all types of Bloks. On the toolbar, click the Administration icon, the Administration overview landing page displays different options. Click the Bloks link. For detailed information, see Manage Bloks.
Once the aggregation rule is created, a filter Blok is automatically created for that rule. You cannot edit or delete these types of filter Bloks. However, when the aggregation rule is updated or deleted, the corresponding filter Blok is updated or deleted from the system.
When entering a Blok name in the Search field, start with the prefix defined for each type of Blok as listed below. Content assist can help you by showing all possible values for that type of Blok.
- time.Blok name
- filter.Blok name
- filter.AGGREGATION_<rule name>
- correlation.Blok name
- source.[sys_concentratorId].Blok name
For example, create a Blok and use it in a search query:
- Create and save a filter Blok that has user='joe' AND body like '%security%'. Now when you run a query using this Blok, only events with "joe and security" will be retrieved.
- Use this filter Blok and add another element or filter to it, for example, type user='John' to the same query to create a more complex query. For example, filter Blok AND user='John'. Now when you run a query using this Blok, events with "joe and security and john" will be retrieved.