Use Multiple Filters
When adding multiple filters, you can select operators to set relationships among them.
- From the feature you want to add a filter to, select an option in the Add New Field Filter.
- Click Edit Values.
- Add Items or Lists, and then click OK.
- Add a second Field Filter.
- Both filters now appear in the grid in the Add New Field Filter dialog box.
In the Operator column, select the operator you need.
Operator Behavior AND All criteria before and after the AND operator must be met. OR Either the criteria before or after the OR must be met. AND PREVIOUS All criteria after the AND PREVIOUS operator must be met. In addition, all criteria before the AND PREVIOUS but after an AND/OR operator must be met. OR PREVIOUS One or more criteria after the OR PREVIOUS operator must be met. Alternatively, any criteria before the OR PREVIOUS but after an AND/OR operator can be met. - (Optional) Add more field filters as necessary and configure the operators. Operators included in searches and filters are validated and must meet the following rules to be run.
- An expression can contain unlimited AND or OR operators, but all operators must be one or the other:
- VALID: a AND b AND c AND d
- VALID: a OR b OR c OR d
- INVALID a AND b OR c
- AND PREVIOUS cannot immediately follow OR PREVIOUS:
- VALID: a AND PREVIOUS b AND PREVIOUS c
- INVALID: a OR PREVIOUS b AND PREVIOUS c
- OR PREVIOUS cannot immediately follow AND PREVIOUS:
- VALID: a OR PREVIOUS b OR PREVIOUS c
- INVALID: a AND PREVIOUS b OR PREVIOUS c
Valid expressions are show in the following table.
LogRhythm Expression Expression As Compiled a AND b AND c a AND b AND c a OR b OR c a OR b OR c a AND b OR PREVIOUS c OR PREVIOUS d a AND (b OR c OR d) a OR b AND PREVIOUS c AND PREVIOUS d a OR (b AND c AND d) - An expression can contain unlimited AND or OR operators, but all operators must be one or the other:
- When you are finished adding all field filters you need, click OK.