When adding multiple filters, you can select operators to set relationships among them.
-
From the feature you want to add a filter to, select an option in the Add New Field Filter.
-
Click Edit Values.
-
Add Items or Lists, and then click OK.
-
Add a second Field Filter.
-
Both filters now appear in the grid in the Add New Field Filter dialog box.
-
In the Operator column, select the operator you need.
Operator
Behavior
AND
All criteria before and after the AND operator must be met.
OR
Either the criteria before or after the OR must be met.
AND PREVIOUS
All criteria after the AND PREVIOUS operator must be met. In addition, all criteria before the AND PREVIOUS but after an AND/OR operator must be met.
OR PREVIOUS
One or more criteria after the OR PREVIOUS operator must be met. Alternatively, any criteria before the OR PREVIOUS but after an AND/OR operator can be met.
-
(Optional) Add more field filters as necessary and configure the operators. Operators included in searches and filters are validated and must meet the following rules to be run.
-
An expression can contain unlimited AND or OR operators, but all operators must be one or the other:VALID: a AND b AND c AND dVALID: a OR b OR c OR dINVALID a AND b OR c
-
AND PREVIOUS cannot immediately follow OR PREVIOUS:VALID: a AND PREVIOUS b AND PREVIOUS cINVALID: a OR PREVIOUS b AND PREVIOUS c
-
OR PREVIOUS cannot immediately follow AND PREVIOUS:VALID: a OR PREVIOUS b OR PREVIOUS cINVALID: a AND PREVIOUS b OR PREVIOUS c
Valid expressions are show in the following table.
LogRhythm Expression
Expression As Compiled
a AND b AND c
a AND b AND c
a OR b OR c
a OR b OR c
a AND b OR PREVIOUS c OR PREVIOUS d
a AND (b OR c OR d)
a OR b AND PREVIOUS c AND PREVIOUS d
a OR (b AND c AND d)
-
-
When you are finished adding all field filters you need, click OK.