Some filter selections require that you enter a search string. For example, you can filter for a specific email recipient, email sender, or host name.
-
From the feature you want to add a filter to, select an option in the Add New Field Filter.
-
Click Edit Values.
-
In the Add Item field, type the string you want to find. LogRhythm filters support the wildcard characters shown in the following table.
Wildcard
Usage
%
Match zero characters, single characters, or any string.
Find all records that contain you = %you% - Default, you do not have to type in the wildcards
Find all records that start with you = you%
Find all records that end with you = %you
*
Match zero characters, single characters, or any string. Same as %.
Find all records that start with you = you*
Find all records that end with ‘me’ = *me
_
Underscore
Match any single character.
Find all five-letter records that start with a and end with z = a_____z
[ ]
Match any character within the brackets or in the range defined within the brackets.
Find all records that end with a, m, or z = *[amz]
Find all records that start with a, b, c, or d = [a-d]*
Find all records that contain a, m, or z = *[amz]*
[^]
Match any character that is NOT in the brackets or NOT in the range defined within the brackets.
Find all records that do NOT contain a = [^a]
Find all records that are NOT between a and x = [^a-x]
-
(Optional) Use the escape character (backslash (\)) on any of the following characters to search for the string literals.
\ * % _ [ ] - ^For example, to filter on John_Smith, where the _ character is part of the value, you must enter John\_Smith.
-
Select the SQL Pattern Match check box.
-
Click Add Item.
-
(Optional) Add more items, clearing the SQL Pattern Match check box if not using strings.
-
Click OK.