Filtering events

You can use the parameter filterWith to return a subset of all active events based on Java REGEX expressions or based on comparison operators.

You can choose to filter using one of the following methods:
  • Java REGEX expressions
  • Comparison operators. The following comparison operators are provided:
    • EQ (equal)
    • NOT (not equal)
    • GT (greater than)
    • GTE (greater than or equal to)
    • LT (less than)
    • LTE (less than or equal to).
Note: You cannot combine Java REGEX expressions with comparison operators.

Comparison operators

Some fields support only specific comparison operators.
Parameter EQ GT GTE LT LTE NOT
action
ARGS        
cn
componentID
eventClass
eventDate
eventID        
FAILFRUS        
FAILSNS        
groupUUID        
localLogID
localLogSequence
location        
msgID        
mtm        
search
sequenceid
serialnum        
service
severity
sourceID
sourceLogID            
sourceLogSequence
timeStamp
USERID        

Filtering examples

Filtering is passed as part of the URI parameters. The filter itself is in JSON format. All filters follow the following parameter format.

Obtaining all events that have a cn (sequence ID) greater than 1:

https://<Server IP Address>/events?filterWith={"filterType":"FIELDNOTREGEXAND",
"fields":[{"operation":"GT","field":"cn","value":"1"}]}
Events can be filtered based on the following fields:
Parameter Comparison operators example Regex expression example
action
{
   "operation":"EQ",
   "field":"action",
   "value":"ABCDE"
}
{
   "field":"action",
   "value":"ABCDE"
}
cn
{
"operation":"EQ",
"field":"cn",
"value":"1"
}
{
   "field":"cn",
   "value":"1"
}
componentID
{
   "operation":"EQ",
   "field":"componentID",
   "value":"FFFFF"
}
{
   "field":"componentID",
   "value":"FFFFF"
}
eventClass
{
   "operation":"EQ",
   "field":"eventClass",
   "value":"200"
}
or
{
   "operation":"EQ",
   "field":"eventClass",
   "value":"AUDIT"
}
{
   "field":"eventClass",
   "value":"200"
}
or
{
   "field":"eventClass",
   "value":"AUDIT"
}
eventDate
{
   "operation":"EQ",
   "field":"eventDate",
   "value":"2014-02-11T09:54:58Z"
}
{
   "field":"eventDate",
   "value":"2014-02-11T09:54:58Z"
}
eventID
{
   "operation":"EQ",
   "field":"eventID",
   "value":"FQXHMCP5810I"
}
{
   "field":"eventID",
   "value":"FQXHMCP5810I"
}
groupUUID
{
   "operation":"EQ",
   "field":"groupUUID",
   "value": [
      "FFB657408BEB4161950704AB",
      "59AFBFCF8DBB376A25D68A0A"]
}
{
   "field":"groupUUID",
   "value": [
      "FFB657408BEB4161950704AB",
      "59AFBFCF8DBB376A25D68A0A"]
}
localLogID
{
   "operation":"EQ",
   "field":"localLogID",
   "value":"ABCDE"
}
{
   "field":"localLogID",
   "value":"ABCDE"
}
localLogSequence
{
   "operation":"EQ",
   "field":"localLogSequence",
   "value":"1"
}
{
   "field":"localLogSequence",
   "value":"1"
}
location
{
   "operation":"EQ",
   "field":"location",   
"value":"ABCDE"
}
{
   "field":"location",
   "value":"ABCDE"
}
msgID
{
   "operation":"EQ",
   "field":"msgID",
   "value":"ABCDE"
}
{
   "field":"msgID",
   "value":"ABCDE"
}
mtm
{
   "operation":"EQ",
   "field":"mtm",
   "value":"ABCDE"
}
{
   "field":"mtm",
   "value":"ABCDE"
}
search
{
   "operation":"EQ",
   "field":"search",
   "value":"ABCDE"
}
{
   "field":"search",
   "value":"ABCDE"
}
sequenceid
{
   "operation":"EQ",
   "field":"sequenceid",
   "value":"1"
}
{
   "field":"sequenceid",
   "value":"1"
}
serialnum
{
   "operation":"EQ",
   "field":"serialnum",
   "value":"ABCDE"
}
{
   "field":"serialnum",
   "value":"ABCDE"
}
service
{
   "operation":"EQ",
   "field":"service",
   "value":"100"
}
or
{
   "operation":"EQ",
   "field":"service",
   "value":"NONE"
}
{
   "field":"service",
   "value":"100"
}
or
{
   "field":"service",
   "value":"NONE"
}
severity
{
   "operation":"EQ",
   "field":"severity",
   "value":"200"
}
or
{
   "operation":"EQ",
   "field":"severity",
   "value":"INFORMATIONAL"
}
{
   "field":"severity",
   "value":"200"
}
or
{
   "field":"severity",
   "value":"INFORMATIONAL"
}
sourceID
{
   "operation":"EQ",
   "field":"sourceID",
   "value":"ABCDE"
}
{
   "field":"sourceID",
   "value":"ABCDE"
}
sourceLogID
{
   "operation":"EQ",
   "field":"sourceLogID",
   "value":"ABCDE"
}
{
   "field":"sourceLogID",
   "value":"ABCDE"
}
sourceLogSequence
{
   "operation":"EQ",
   "field":"sourceLogSequence",
   "value":"1234"
}
{
   "field":"sourceLogSequence",
   "value":"1234"
}
timeStamp
{
   "operation":"EQ",
   "field":"timeStamp",
   "value":"2014-02-11T09:54:58Z"
}
{
   "field":"timeStamp",
   "value":"2014-02-11T09:54:58Z"
}

Applying a filter to match a single event with a sequence ID equal to 16:

{
   "filterType":"FIELDNOTREGEXAND",
   "fields": [{
      "operation":"EQ",
      "field":"cn",
      "value":"16"
   }]
}

{
   "filterType":"FIELDREGEXAND",
   "fields": [{
      "field":"cn",
      "value":"16"
   }]
}

These two filters are equivalent; they both will match with a single event, the event that has the cn/sequenceid equal to 16.

The filtering is composed of two parts:
  1. The first part is the filterType that can have only one value from the following enumeration:
    • FIELDREGEXAND. Regex filter of type AND
    • FIELDREGEXOR.Regex filter of type OR
    • FIELDREGEXNOT. Regex filter of type NOT
    • FIELDNOTREGEXAND. Non-Regex filter of type AND
    • FIELDNOTREGEXOR. Non-Regex filter of type OR
    • FIELDNOTREGEXNOT. Non-Regex filter of type NOT

    The REGEX filters accept only REGEX expressions in the "value" field. The Non-REGEX filters do not accept REGEX expressions in the "value" field. The Non-REGEX filter works with the six comparison operators (EQ, NOT, GT, GTE, LT, LTE). It also has a special field called "operation" in which to specify the comparison operation.

    The "filterType" is a mandatory field.

  2. The second part is an enumeration of "fields" that define the target of the filter match. This field is required.

    The "fields" is a JSONArray Enumeration composed of JSON Objects. In the above example it can be seen that there is only one JSON ( {"operation":"EQ" , "field":"cn" , "value":"16"} ) in the entire JSONArray ( [{"operation":"EQ" , "field":"cn" , "value":"16"}] ).

Applying a complex filter:

{
   "filterType":"FIELDNOTREGEXAND",
   "fields": [
      {"operation":"GT", "field":"cn", "value":"16"},
      {"operation":"GTE", "field":"severity", "value":"400"},
      {"operation":"GTE", "field":"timeStamp", "value":"2014-02-11T09:20:35Z"}
   ]
}

This filter will match all events that have the cn/sequenceid greater than 16, a severity greater than or equal to 400, and a timeStamp greater than or equal to 9:20:35 Zulu - February 11, 2014.