Complex Filter Syntax

A complex filter allows you to filter with great flexibility.

To filter by time period, severity level, or syslog originator/group, use the main filter parameters for better performance.

Syntax Overview

A filter expression can include fields, comparison operators, logicals (and/or/not), and parentheses.

Example 1:
({APPNAME} = "server" or {APPNAME} STARTS_WITH "client") and {MSGID} > 404

A simple comparison expression contains:

  1. A field name (with optional modifiers) in braces, e.g. {APPNAME}

  2. A comparison operator, e.g. STARTS_WITH

  3. A text value in double quotes, e.g. "server" or a number value, e.g. 404

Escaping Double Quotes

Double each double quotation mark that is a part of a value.

Example 2:
{MESSAGE} CONTAINS "begin ""quoted part"" end"

Standard Fields \{…​\}

The field names correspond to the syslog message attributes or are extracted from the message body by a syslog parser.

Custom Fields \{$…​\}

Names of custom fields start with $. Parsers or field extractors create custom fields.

Case Modifiers and Case-Insensitivity

Use a vertical bar symbol | to apply a modifier.

Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER and lower. Any one of these modifiers can be used to make case-insensitive comparisons. The example below shows the usage of lower to filter messages that contain the word "blocked" in any casing: Blocked, BLOCKED, blocked, etc.

Example 3:
{MESSAGE|lower} CONTAINS "blocked"

Regular Expression Operators

Complex filters support regular expressions through RE_CONTAINS and RE_MATCHES operators and their case-insensitive equivalents: RE_CONTAINS_I and RE_MATCHES_I.

  • RE_MATCHES and RE_MATCHES_I operators compare the entire field with the expression.

  • RE_CONTAINS and RE_CONTAINS_I operators trigger if part of the field satisfies the expression.

Example 4: The simplest way to check for an email address in a message
{MESSAGE} RE_CONTAINS ".+\@.+\..+"