Filter Expression Syntax¶
A complex filter allows you to set the filtering parameters very flexibly.
Tip
To filter by severity level, or syslog originator/group, use the standard message filter for better performance.
Syntax Overview¶
A filter expression can include fields, comparison operators, logicals (and/or/not), and parentheses.
A simple comparison expression contains:
1. A field name (with optional modifiers) in braces, e.g. {APPNAME}
1. A comparison operator, e.g. STARTS_WITH
1. A text value in double quotes, e.g. "server"
or a number value, e.g. 404
Escaping Double Quotes¶
Double each double quotation mark that is a part of a value.
Standard Fields {...}¶
The field names correspond to the syslog message attributes or are extracted from the message body by a syslog parser.
Custom Fields {$...}¶
Names of custom fields start with the $
. Parsers or field extractors create custom fields.
Case Modifiers and Case-Insensitivity¶
Info
Use a vertical bar symbol |
to apply a modifier.
Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER
and lower
. Any one of these modifiers can be used to make case-insensitive comparisons. The example below shows the usage of lower
to filter messages that contain the word "blocked" in any casing: Blocked, BLOCKED, blocked, etc.
Regular Expression Operators¶
Complex filters support of regular expression through RE_CONTAINS
and RE_MATCHES
operators and their case-insensitive equivalents: RE_CONTAINS_I
and RE_MATCHES_I
.
RE_MATCHES
andRE_MATCHES_I
operators compare the entire field with the expression.RE_CONTAINS
andRE_CONTAINS_I
operators trigger if part of the field satisfies the expression.