Complex Filter Syntax
A complex filter allows you to configure the filtering parameters very flexibly. However, the performance of the filter can be greatly reduced if the expression includes many operations.
To filter by time period, severity level, or syslog originator/group, use the main filter for better performance.
Syntax Overview
A filter expression is a line of text. It can include fields, comparison operators, logical operations, and parentheses.
({APPNAME} = "server" or {APPNAME} STARTS_WITH "client") and {MSGID} > "404"
A simple comparison expression must contain:
- A field name in curly brackets, e.g.
{APPNAME} - A comparison operator, e.g.
STARTS_WITH - A value in double quotes, e.g.
"server"
Enclose any value in double quotation marks, even it is a number, e.g. "404"
Escaping Double Quotes
Double each double quotation mark that is a part of the value.
{MESSAGE} CONTAINS "begin ""quoted part"" end"
Standard Fields {...}
The field names correspond to the syslog message attributes or are extracted from the message body by a syslog parser.
Custom Fields {$...}
Names of custom fields start with the $. Parsers or field extractors create custom fields.
Case Modifiers and Case-Insensitivity
Use a vertical bar symbol | to apply a modifier.
Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER and lower. Any one of these modifiers can be used to make case-insensitive comparisons. The example below shows the usage of lower to filter messages that contain the word "blocked" in any casing: Blocked, BLOCKED, blocked, etc.
{MESSAGE|lower} CONTAINS "blocked"
Regular Expression Operators
Complex filters support of regular expression through RE_CONTAINS and RE_MATCHES operators and their case-insensitive equivalents: RE_CONTAINS_I and RE_MATCHES_I.
RE_MATCHESandRE_MATCHES_Ioperators compare the entire field with the expression.RE_CONTAINSandRE_CONTAINS_Ioperators trigger if part of the field satisfies the expression.
{MESSAGE} RE_CONTAINS ".+\@.+\..+"