Filtering events
You can use the parameter filterWith to return a subset of all active events based on Java REGEX expressions or based on comparison operators.
You can choose to filter using one of the following methods:
- Java REGEX expressions
- Comparison operators. The following comparison operators are provided:
- EQ (equal)
- NOT (not equal)
- GT (greater than)
- GTE (greater than or equal to)
- LT (less than)
- LTE (less than or equal to).
Note
You cannot combine Java REGEX expressions with comparison operators.
Comparison operators
Some fields support only specific comparison operators.
| Parameter | EQ | GT | GTE | LT | LTE | NOT |
|---|---|---|---|---|---|---|
| action | √ | √ | √ | √ | √ | √ |
| ARGS | √ | √ | ||||
| cn | √ | √ | √ | √ | √ | √ |
| componentID | √ | √ | √ | √ | √ | √ |
| eventClass | √ | √ | √ | √ | √ | √ |
| eventDate | √ | √ | √ | √ | √ | √ |
| eventID | √ | √ | ||||
| FAILFRUS | √ | √ | ||||
| FAILSNS | √ | √ | ||||
| groupUUID | √ | √ | ||||
| localLogID | √ | √ | √ | √ | √ | √ |
| localLogSequence | √ | √ | √ | √ | √ | √ |
| location | √ | √ | ||||
| msgID | √ | √ | ||||
| mtm | √ | √ | ||||
| search | √ | √ | √ | √ | √ | √ |
| sequenceid | √ | √ | √ | √ | √ | √ |
| serialnum | √ | √ | ||||
| service | √ | √ | √ | √ | √ | √ |
| severity | √ | √ | √ | √ | √ | √ |
| sourceID | √ | √ | √ | √ | √ | √ |
| sourceLogID | ||||||
| sourceLogSequence | √ | √ | √ | √ | √ | √ |
| timeStamp | √ | √ | √ | √ | √ | √ |
| USERID | √ | √ |
Filtering examples
Filtering is passed as part of the URI parameters. The filter itself is in JSON format. All filters follow the following parameter format.
- Obtaining all events that have a cn (sequence ID) greater than 1:
https://<Server IP Address>/events?filterWith={"filterType":"FIELDNOTREGEXAND",
"fields":[{"operation":"GT","field":"cn","value":"1"}]}Events can be filtered based on the following fields:Parameter Comparison operators example Regex expression example action {
"operation":"EQ",
"field":"action",
"value":"ABCDE"
}{
"field":"action",
"value":"ABCDE"
}cn {
"operation":"EQ",
"field":"cn",
"value":"1"
}{
"field":"cn",
"value":"1"
}componentID {
"operation":"EQ",
"field":"componentID",
"value":"FFFFF"
}{
"field":"componentID",
"value":"FFFFF"
}eventClass
or{
"operation":"EQ",
"field":"eventClass",
"value":"200"
}{
"operation":"EQ",
"field":"eventClass",
"value":"AUDIT"
}
or{
"field":"eventClass",
"value":"200"
}{
"field":"eventClass",
"value":"AUDIT"
}eventDate {
"operation":"EQ",
"field":"eventDate",
"value":"2014-02-11T09:54:58Z"
}{
"field":"eventDate",
"value":"2014-02-11T09:54:58Z"
}eventID {
"operation":"EQ",
"field":"eventID",
"value":"FQXHMCP5810I"
}{
"field":"eventID",
"value":"FQXHMCP5810I"
}groupUUID {
"operation":"EQ",
"field":"groupUUID",
"value": [
"FFB657408BEB4161950704AB",
"59AFBFCF8DBB376A25D68A0A"]
}{
"field":"groupUUID",
"value": [
"FFB657408BEB4161950704AB",
"59AFBFCF8DBB376A25D68A0A"]
}localLogID {
"operation":"EQ",
"field":"localLogID",
"value":"ABCDE"
}{
"field":"localLogID",
"value":"ABCDE"
}localLogSequence {
"operation":"EQ",
"field":"localLogSequence",
"value":"1"
}{
"field":"localLogSequence",
"value":"1"
}location {
"operation":"EQ",
"field":"location",
"value":"ABCDE"
}{
"field":"location",
"value":"ABCDE"
}msgID {
"operation":"EQ",
"field":"msgID",
"value":"ABCDE"
}{
"field":"msgID",
"value":"ABCDE"
}mtm {
"operation":"EQ",
"field":"mtm",
"value":"ABCDE"
}{
"field":"mtm",
"value":"ABCDE"
}search {
"operation":"EQ",
"field":"search",
"value":"ABCDE"
}{
"field":"search",
"value":"ABCDE"
}sequenceid {
"operation":"EQ",
"field":"sequenceid",
"value":"1"
}{
"field":"sequenceid",
"value":"1"
}serialnum {
"operation":"EQ",
"field":"serialnum",
"value":"ABCDE"
}{
"field":"serialnum",
"value":"ABCDE"
}service
or{
"operation":"EQ",
"field":"service",
"value":"100"
}{
"operation":"EQ",
"field":"service",
"value":"NONE"
}
or{
"field":"service",
"value":"100"
}{
"field":"service",
"value":"NONE"
}severity
or{
"operation":"EQ",
"field":"severity",
"value":"200"
}{
"operation":"EQ",
"field":"severity",
"value":"INFORMATIONAL"
}
or{
"field":"severity",
"value":"200"
}{
"field":"severity",
"value":"INFORMATIONAL"
}sourceID {
"operation":"EQ",
"field":"sourceID",
"value":"ABCDE"
}{
"field":"sourceID",
"value":"ABCDE"
}sourceLogID {
"operation":"EQ",
"field":"sourceLogID",
"value":"ABCDE"
}{
"field":"sourceLogID",
"value":"ABCDE"
}sourceLogSequence {
"operation":"EQ",
"field":"sourceLogSequence",
"value":"1234"
}{
"field":"sourceLogSequence",
"value":"1234"
}timeStamp {
"operation":"EQ",
"field":"timeStamp",
"value":"2014-02-11T09:54:58Z"
}{
"field":"timeStamp",
"value":"2014-02-11T09:54:58Z"
}- Applying a filter to match a single event with a sequence ID equal to 16:
{
"filterType":"FIELDNOTREGEXAND",
"fields": [{
"operation":"EQ",
"field":"cn",
"value":"16"
}]
}
{
"filterType":"FIELDREGEXAND",
"fields": [{
"field":"cn",
"value":"16"
}]
}These two filters are equivalent; they both will match with a single event, the event that has the cn/sequenceid equal to 16.
The filtering is composed of two parts:- The first part is the filterType that can have only one value from the following enumeration:
- FIELDREGEXAND. Regex filter of type AND
- FIELDREGEXOR.Regex filter of type OR
- FIELDREGEXNOT. Regex filter of type NOT
- FIELDNOTREGEXAND. Non-Regex filter of type AND
- FIELDNOTREGEXOR. Non-Regex filter of type OR
- FIELDNOTREGEXNOT. Non-Regex filter of type NOT
The REGEX filters accept only REGEX expressions in the "value" field. The Non-REGEX filters do not accept REGEX expressions in the "value" field. The Non-REGEX filter works with the six comparison operators (EQ, NOT, GT, GTE, LT, LTE). It also has a special field called "operation" in which to specify the comparison operation.
The "filterType" is a mandatory field.
- The second part is an enumeration of "fields" that define the target of the filter match. This field is required.
The "fields" is a JSONArray Enumeration composed of JSON Objects. In the above example it can be seen that there is only one JSON ( {"operation":"EQ" , "field":"cn" , "value":"16"} ) in the entire JSONArray ( [{"operation":"EQ" , "field":"cn" , "value":"16"}] ).
- The first part is the filterType that can have only one value from the following enumeration:
- Applying a complex filter:
{
"filterType":"FIELDNOTREGEXAND",
"fields": [
{"operation":"GT", "field":"cn", "value":"16"},
{"operation":"GTE", "field":"severity", "value":"400"},
{"operation":"GTE", "field":"timeStamp", "value":"2014-02-11T09:20:35Z"}
]
}This filter will match all events that have the cn/sequenceid greater than 16, a severity greater than or equal to 400, and a timeStamp greater than or equal to 9:20:35 Zulu - February 11, 2014.
Give documentation feedback