Filter examples

These examples show how you can use logical comparisons, negate conditions, and subquery elements in filters.

Example: Logical comparison

This example uses the logical AND element. To find all alerts that have been acknowledged, and which are greater than major severity, use two condition elements: Acknowledged = Yes and Severity > Major.

These elements translate to the SQL condition:

(Acknowledged = 1) and (Severity > 4)

Acknowledged is an integer value for which 0 equates to No and 1 equates to Yes. Severity names map to integer numbers 0-5. Integers are used rather than string values because the Filter Builder manages the translations between names and values.

When a logical element is selected, the element definition area displays two buttons: And and Or. Logical elements are created by default as AND elements. To use an OR element, select the element in the graphical display area and then select Or in the element definition area.

The following figure shows this example, as displayed in the UNIX Filter Builder.

Figure 1. Example logical comparison in the UNIX Filter Builder
This figure shows an example logical comparison in the UNIX Filter Builder.

Example: Negate on UNIX

You can enter a conditional element that finds all the alerts that have a severity of warning, as shown in the following figure.

Figure 2. Example Negate filter condition on UNIX (Part 1)
This figure shows how the initial Condition element of a Negate filter condition is constructed on UNIX.

To negate the condition, select the element; then, click the Negate button to obtain the following result.

Figure 3. Example Negate filter condition on UNIX (Part 2)
This figure shows how a Negate filter is applied to a Condition element on UNIX.

Example: Negate on Windows

To negate a condition, select the element and then click the Negate button (!). For example, you can enter a conditional element that finds all the events that have a severity of warning, as shown in the following figure.

Figure 4. Example Negate filter condition on Windows (Part 1)
This figure shows how the initial Condition element of a Negate filter condition is constructed on Windows.

To negate the condition, click the Negate button (!) to obtain the following result.

Figure 5. Example Negate filter condition on Windows (Part 2)
This figure shows how a Negate filter is applied to a Condition element on Windows.

Example: Subquery element

The following figure shows a subquery element that compares the Identifier fields of the alerts.status table and the alerts.details table.

Figure 6. Example subquery element on UNIX
This figure shows an example subquery element on UNIX.

Example: Using subquery elements with other elements

This example element compares the Identifier fields in the alerts.status table and the alerts.details table, where the records in the alerts.details table also contain a Name field with the value SpecialValueAlert. The elements that follow the subquery element also refer to the same table as the subquery.

The following figure shows how the subquery element is displayed in the UNIX Filter Builder.

Figure 7. Example subquery element with other elements on UNIX
This figure shows an example subquery element with other elements on UNIX.

The following figure shows how this subquery element is displayed in the Windows Filter Builder.

Figure 8. Example subquery element with other elements on Windows
This figure shows an example subquery element with other elements on Windows.