Creating or editing a filter on Windows
Use the Windows Filter Builder to build filters for event list data.
About this task
Procedure
- Start the Filter Builder.
- Complete the filter setup area as follows:
- Name
- If you are creating a new filter, overwrite the current name with a unique name for the filter. This name is used to select the filter in event list menus. If you are editing an existing filter, you do not need to make an entry in this field.
- Editable
- If you have the relevant administrator permissions, select this
check box to allow other users to edit this filter, or clear the check
box to protect the filter from being modified.Restriction: This setting applies only if the filter is saved as part of an event list configuration (.elc file).
You can now build the filter using a combination of condition, logical, and subquery filter elements. You can also define a filter metric, and copy, paste, and delete elements.
- Create condition elements as follows:
- From the button bar, click Condition.
- From the element definition area, complete the fields
as follows:
- Type
- Select either of the following options from this list:
- Simple: Select this option to use simple expressions in the condition element.
- Complex: Select this option to use complex expressions that allow two database columns or two expressions to be compared.
- Column
- From this list, select a database column that you want to use in the comparison.
- By default, the list contains the names of the columns in the alerts.status database table. The Filter Builder automatically determines which columns are available. There are situations where this list will be different.
- Operator
- Select a comparison operator from this list.
- The range of comparisons available is determined by your selection from the Column drop-down list. Some comparisons are unavailable for certain columns. For example, it is not possible to have a LIKE operation on a numeric column such as Severity.
- Value
- The fields that appear here are dependent on the options that are selected in the Type, Column, and Operator lists.
- If the Type is Simple, then the value fields that appear will depend on whether the database column selected in the Column list is of type string, integer, or time.
- If the Type is Complex, then an Edit button is provided to allow you to edit the SQL directly within the Filter SQL Edit window. When you click OK to save and return to the Filter Builder, the SQL expression is automatically parsed and added to the condition element in the graphical display area. If you enter invalid SQL text in the Filter SQL Edit window, you are required to correct the syntax before exiting the window.
- If required, construct multiple conditions by inserting
logical
AND
orOR
elements as follows:- From the graphical display area, select an existing
element for which you want to create a logical comparison. You can create a logical comparison to a condition element, another logical element, or no element.
- Select either the And condition button or the Or condition button.
- Change the condition attributes on the new condition.
- Click the Apply button to save the changes.
The following table shows what happens if you select either a condition or logical element, and then click one of the logical buttons.
Table 1. Results obtained with the Leading Logical and Trailing Logical buttons Element Leading Logical button used Trailing Logical button used Condition element Creates a logical element as the child of the parent of the condition element. The condition element becomes the child of the logical element. The Trailing Logical button is not available because condition elements cannot have children. Logical element Creates a logical element as the child of the parent of the logical element. The condition element becomes the child of the logical element. The logical element is added as a child of the existing logical element. If the insertion point already has two children, this button is disabled. No element selected Creates a single logical element. Creates a single logical element. - From the graphical display area, select an existing
element for which you want to create a logical comparison.
- If required, negate a condition as follows:
- From the graphical display area, select the condition element.
- From the button bar, click Negate.
The negate element is always inserted before the current insertion point in the tree, and can have only one parent and one child.
Note: It is not possible to insert a negate logical element before an existing negate logical element. However, when editing a filter, it is possible to delete a section of a tree to leave two negate elements one after another. You must delete one of these to create a valid filter.
- If required, create subquery elements as follows:
- From the button bar, click Sub Query.
- From the element definition area, complete the fields
as follows:
- Column
- From this list, select the database column to be used in the search.
- Operator
- Select either of the following options from the list:
- In: Use this option to search for the contents of the column.
- Not In: Use this option to search for the absence of the contents of the field.
- Select
- Select the column to be used when building the list, against which the In or Not In operation is to be performed. The options in this list are determined by the option that is selected in the From list.
- From
- Select the database table from which to derive the information. This can be alerts.details, alerts.journal, or alerts.status.
- If required, set the filter metric as follows:
- Metric
- Use the first list to choose the measurement to be used:
- Select Average to return the average value of the selected field for all alerts that match the filter.
- Select Count to return a count of all the alerts that match the filter. The selected field is not used for this calculation.
- Select Sum to return the sum of the selected field for all alerts that match the filter.
- Select Minimum to return the lowest value of the selected field in alerts that match the filter.
- Select Maximum to return the highest value of the selected field in alerts that match the filter.
- Use the second list to select a field to which the measurement
is applied. Only the integer and time fields in an alert are available
for the metric calculation.Tip: The metric value will be displayed in monitor boxes in the Event List monitor box window.
- If required, copy and paste elements as follows:
- From the graphical display area, select the element to be copied, and select Edit > Copy.
- Paste the element elsewhere into the filter by selecting Edit > Paste.
The Filter Builder attempts to insert the element relative to the element that is currently selected.
- Delete single elements, or parent elements and their children,
as follows:
- From the graphical display area, select the single element
to be deleted, and then click Delete Element in
the button bar, or select Edit > Cut.
When you delete filter elements, the Filter Builder attempts to link the child elements into the filter. This does not work if you try to remove a logical element with two children, or a subquery that has children.
- From the graphical display area, select the parent element to be deleted and click Delete Tree in the button bar. This action removes the currently-selected element and all child elements.
- From the graphical display area, select the single element
to be deleted, and then click Delete Element in
the button bar, or select Edit > Cut.
- After defining the filter, save the filter or cancel your
changes as follows:
- Apply
- Click this button to apply changes to the filter without saving it.
- Close
- Click this button to close the window and discard the changes.