Skip to main content
Skip table of contents

Filters—Primary Criteria

This page uses adding filters to an Alarm Rule as an example. The names of windows and setting options vary slightly depending on where you are creating or modifying a filter.

The Primary Criteria tab of the Filter Editor is where you specify the filter that will be applied to all qualified events.

To configure primary criteria

  1. (For AI Engine Rules) Select one of the following Data Sources for the Rule Block:
    • Data Processor Logs

    • Advanced Intelligence Engine Events

    If Advanced Intelligence Engine Events is selected, it is highly recommended that you add an AIE Common Event filter to the Primary Criteria to specify which AIE Rules to include. Then follow the steps described in Create an Alarm Rule to create the filter. You can also add a saved filter, instead of creating a new one, by following the steps in the next two sections.

  2. In the upper-left corner of the window, click New.
    The Log Message Filter window appears.

  3. From the Add New Field Filter list, select a field to use as a primary filter.

    The User (Impacted/Origin) by Active Directory Group filter is only available to Global Administrators and Global Analysts. Restricted Analysts and Restricted Administrators may not create or edit an User (Impacted/Origin) by Active Directory Group filter in Personal Dashboard, Investigator Wizard, Tail Wizard, or Report Wizard. Restricted Analysts may run objects that reference an Active Directory Group filter in saved Investigations, Reports, and Report Packages.

  4. Click Edit Values.
    The Field Filter Values window appears with options based on your Field Filter selection.
  5. Select a Filter Mode.
  6. Do one of the following:
    • If you selected a Quantitative Field Filter, such as Host (Impacted) Bytes Rcvd, enter the operator and values.
    • If you selected a Field Filter that requires a user-defined value such as IP Address, enter the value you want in the Add Item field. Select any additional options that are required.
    • If you selected a multi-type field such as Application, select an option from the Item Type list.
    • If you selected a Field Filter such as Log Source Type, the Field Filter Selector window appears. It is populated based on your Field Filter selection. Follow the prompts to further refine your filter, and then click OK.
  7. (Optional) Use the filter options to shorten the list. Enter characters you want to match, select Keyword or Regex, and then click Apply. Only items that contain the characters you entered appear.
  8. Click Add Item.
  9. (Optional) Continue adding items.

  10. (Optional). To delete a filter from the list, select it and click Remove Filter.

  11. Click OK.
    The Add New Field Filters window appears with the newly added filter in the list.
  12. Continue adding filters until you are finished with this field.
  13. (Optional) Continue adding filters.
  14. (Optional) To modify a filter in the list, select it and click Edit Values.
  15. (Optional) To delete a filter from the list, select it and click Delete.
  16. (For Alarms) In the Minimum Event Priority section, specify the minimum priority an event must have to be considered for alarming.
  17. Click OK.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close