Filter Data with Lucene Searches
The LogRhythm Web Console allows you to filter data on dashboards, widgets, and the Analyze page by using Lucene search syntax. Lucene is an open source text retrieval library released under the Apache Software License. For more information, see Lucene Search Syntax or the Lucene wiki: http://lucene.apache.org/core/2_9_ 4/queryparsersyntax.html.
The Lucene Helper allows users to construct a Lucene query by providing syntax highlighting, field suggestions, and known value integrations. You can use Boolean operators when constructing the query.
To filter data on the entire page using Lucene Helper:
- On the upper-right side of the page, click the Filter icon.
- Begin typing your query.
As you type, a list of suggested field names appears (for example, Direction). - Click a field name in the list to add it to the filter.
A list of available filter values appears (for example, External). - Click the value you want to filter.
Click Filter Dashboard.
Filter behavior within the LogRhythm Web Console:- If a widget has a Lucene filter applied to it, whether within the widget configuration itself or through the dashboard configuration, a filter icon appears on the widget. Point to the filter icon to display the full set of filters being applied to the widget.
- If you filter data on the Dashboards page, the page shows the filtered data.
- If you filter data on the Analyze page, the charts are redrawn to show the newly filtered data.
- Dashboard-level filters do not apply to the Threat Activity Map.
- If a widget has a Lucene filter applied to it, whether within the widget configuration itself or through the dashboard configuration, a filter icon appears on the widget. Point to the filter icon to display the full set of filters being applied to the widget.
FILTER EXAMPLES
impactedHost:"hostname" AND commonEventName:"Detected Spyware Activity"
login:"joe.user" AND classificationName:"Misuse" AND commonEventName:"Unauthorized Activity"
commonEventName:"Detected Backdoor Activity" AND directionName:"External" AND originHost:"106.194.190.227"