Filter Builder overview

The Filter Builder is an HTML utility that you use to construct filters that are dynamically applied to event data.

Important: Select at least one data source for each filter. These data sources are used to determine which fields you can use in the SQL query. If you select multiple data sources, the Filter Builder permits only the fields that are common to all data sources. The data sources that are selected in the Filter Builder are not used to retrieve event data. You select the data sources for the event feed in the preferences for the widget, such as the Event Viewer or Event Dashboard.

You can use the following modes to create filters; the Filter Builder displays a tab for each mode.

Basic
Provides a set of lists and text fields that you use to specify the filter conditions. To build the conditions, select a field from the specified data source or data sources, select a comparator, and type a numeric or string value. The value is the filtering criteria for the field. If you use basic mode to construct your filter, you can view the resulting SQL in the text field on the Advanced tab.
Advanced
Provides a text field where you can enter ObjectServer SQL syntax.
If you create a filter in advanced mode, it might not be possible to express the SQL syntax in the fields on the Basic tab. Once you save a filter created in advanced mode, the Basic tab is removed for that filter.
Dependent.
This tab is displayed only for dependent filters. On this tab, use the Search fields to identify the filters that you want to use for the dependencies. After you have identified the required filters, use the buttons to move the filters from the Available filters list to the Selected dependencies list. In a dependent filter, the SQL WHERE statements of each filter are concatenated by using OR statements.

Filter Builder metrics

A metric is an aggregate statistic that can be derived from the events that match a filter to display a useful figure, for example, an average, count, or sum of all field values. When a filter is displayed using a monitor box linked to an AEL, the metric information obtained from the set of events that match the filter is used for this display.

User capabilities

The privileges that each user has determines the operations they can carry out on filters, as the following table shows.

Table 1. User capabilities for filters
User privilege Capabilities
ncw_user A user with the ncw_user privilege can do the following:
  • Add, edit and delete their personal filters. That is the filters that appear on the My Filters. list.
  • By default, add and edit global filters.

    The value of the users.global.filter.mode property in WEBGUI_HOME/etc/server.init determines whether a user can add and edit global filters. When the property is set to 1 a user can add and edit global filters. When the property is set to 0 a user cannot add or edit global filters.

  • By default, add and edit group filters.

    The value of the users.group.filter.mode property in WEBGUI_HOME/etc/server.init determines whether a user can add and edit group filters. When the property is set to 2 a user can add, edit or delete group filters. When the property is set to 1 a user can add and edit group filters. When the property is set to 0 a user cannot add or edit group filters.

ncw_admin A user with the ncw_admin privilege can add, edit, and delete any filter, including the filters in any user's My Filters. list.