FILTER Statement
A filter is an expression that specifies the conditions that events must satisfy for the query to run successfully.
The list of available columns is determined by a list of event sources. In case the list of event sources is not available, the system does the best to extract those columns using heuristics algorithms. For queries, the filter should contain a time condition; otherwise the default is used.
A filter statement is any expression that evaluates to a result of type Boolean. Any event that does not satisfy this condition is eliminated from the results. An event that satisfies the condition if it returns true when the actual event values are substituted for any variable references.
The following table explains the types of filter statements that can be used:
| Operator | Description |
|---|---|
| AND |
Narrows your search results by only returning those events where each one of the AND conditions evaluates to true. For example, use AND to return results containing all specified keywords. When AND is used, the results contain all specified keywords and do not contain entries with just one of the specified keywords. |
| OR |
Expands your search results by returning events where either of the OR conditions evaluates to true. For example, use OR to return results containing any and all specified keywords. OR is ideal when you have common synonyms for a keyword. To narrow results as much as possible, combine OR statements with AND statements. |
| Equals (=), Not equals (<> ), (!=), Lower than (<), Lower or equal (<=), Greater than (>), Greater or equal (>=) |
A comparison condition compares two expressions using the operator specified in the comparison, which may be one of seven possible comparison operators with well known meanings. The comparison condition evaluates to true only if the comparison condition is satisfied. This may be used to narrow search results. For example, |
| Plus (+), Minus (-), Multiply (asterisk (*)), Divide (forward slash (/)) |
The arithmetic (+,-,*,/) operator can be used to create parts of other conditions. For example, |
| LIKE | LIKE is the classical SQL operator. It matches the full string (so leading and trailing wildcards should be added if trying to match only a fragment). It has a granularity of character, that is, we can match character by character. The supported wildcard is % for many characters. |
Examples
| Filter Expression | Definition |
|---|---|
USE TS_hawk_bwce_getactivitystats_error_count | COLUMNS application_name , process_name , activity_name, value as ErrorCount | value > 0.0 | sys_eventTime in -1h
|
The result displays all the BWCE Activities where error count > 0 an in the last hour. |
USE RT_BWCEHawkMicroagentKafkaBookStore_getActivityStats | [Error Count] > 0.0
|
The result displays the instantaneous value of BWCE Application Activities with Error Count > 0. |