Use Search Strings with Filters
Some filter selections require that you enter a search string. For example, you can filter for a specific email recipient, email sender, or host name.
- From the feature you want to add a filter to, select an option in the Add New Field Filter.
- Click Edit Values.
In the Add Item field, type the string you want to find. LogRhythm filters support the wildcard characters shown in the following table.
Wildcard Usage %
Match zero characters, single characters, or any string.
Find all records that contain you = %you% - Default, you do not have to type in the wildcards
Find all records that start with you = you%
Find all records that end with you = %you
*
Match zero characters, single characters, or any string. Same as %.
Find all records that start with you = you*
Find all records that end with ‘me’ = *me
_
Underscore
Match any single character.
Find all five-letter records that start with a and end with z = a_____z
[ ]
Match any character within the brackets or in the range defined within the brackets.
Find all records that end with a, m, or z = *[amz]
Find all records that start with a, b, c, or d = [a-d]*
Find all records that contain a, m, or z = *[amz]*
[^]
Match any character that is NOT in the brackets or NOT in the range defined within the brackets.
Find all records that do NOT contain a = [^a]
Find all records that are NOT between a and x = [^a-x]
(Optional) Use the escape character (backslash (\)) on any of the following characters to search for the string literals.
For example, to filter on John_Smith, where the _ character is part of the value, you must enter John\_Smith.
\ * % _ [ ] - ^- Select the SQL Pattern Match check box.
- Click Add Item.
- (Optional) Add more items, clearing the SQL Pattern Match check box if not using strings.
- Click OK.