Filter Expression Syntax¶
A complex filter allows you to set the filtering parameters very flexibly.
Tip
To filter by severity level, or syslog originator/group, use the standard message filter for better performance.
Syntax Overview¶
A filter expression can include fields, comparison operators, logicals (and/or/not), and parentheses.
A simple comparison expression contains:
1. A field name (with optional modifiers) in braces, e.g. {APPNAME}
1. A comparison operator, e.g. STARTS_WITH
1. A text value in double quotes, e.g. "server" or a number value, e.g. 404
Escaping Double Quotes¶
Double each double quotation mark that is a part of a value.
Standard Fields {...}¶
The field names correspond to the syslog message attributes or are extracted from the message body by a syslog parser.
Custom Fields {$...}¶
Names of custom fields start with the $. Parsers or field extractors create custom fields.
Case Modifiers and Case-Insensitivity¶
Info
Use a vertical bar symbol | to apply a modifier.
Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER and lower. Any one of these modifiers can be used to make case-insensitive comparisons. The example below shows the usage of lower to filter messages that contain the word "blocked" in any casing: Blocked, BLOCKED, blocked, etc.
Regular Expression Operators¶
Complex filters support of regular expression through RE_CONTAINS and RE_MATCHES operators and their case-insensitive equivalents: RE_CONTAINS_I and RE_MATCHES_I.
RE_MATCHESandRE_MATCHES_Ioperators compare the entire field with the expression.RE_CONTAINSandRE_CONTAINS_Ioperators trigger if part of the field satisfies the expression.