Complex Filter Syntax

A complex filter allows you to set the filtering parameters very flexibly.

tip

To filter by time period, severity level, or syslog originator/group, use the main filter parameters for better performance.

Syntax Overview

A filter expression can include fields, comparison operators, logicals (and/or/not), and parentheses.

Example 1:

({APPNAME} = "server" or {APPNAME} STARTS_WITH "client") and {MSGID} > 404 

A simple comparison expression contains:

1. A field name (with optional modifiers) in braces, e.g. {APPNAME}
2. A comparison operator, e.g. STARTS_WITH
3. A text value in double quotes, e.g. "server" or a number value, e.g. 404

Escaping Double Quotes

Double each double quotation mark that is a part of a value.

Example 2:

{MESSAGE} CONTAINS "begin ""quoted part"" end" 

Standard Fields {...}

The field names correspond to the syslog message attributes or are extracted from the message body by a syslog parser.

Custom Fields {$...}

Names of custom fields start with the $. Parsers or field extractors create custom fields.

Case Modifiers and Case-Insensitivity

MODIFIERS

Use a vertical bar symbol | to apply a modifier.

Syslog Watcher provides two modifiers to convert the casing of a field text: UPPER and lower. Any one of these modifiers can be used to make case-insensitive comparisons. The example below shows the usage of lower to filter messages that contain the word "blocked" in any casing: Blocked, BLOCKED, blocked, etc.

Example 3:

{MESSAGE|lower} CONTAINS "blocked" 

Regular Expression Operators

Complex filters support of regular expression through RE_CONTAINS and RE_MATCHES operators and their case-insensitive equivalents: RE_CONTAINS_I and RE_MATCHES_I.

• RE_MATCHES and RE_MATCHES_I operators compare the entire field with the expression.
• RE_CONTAINS and RE_CONTAINS_I operators trigger if part of the field satisfies the expression.

Example 4: The simplest way to check for an email address in a message

{MESSAGE} RE_CONTAINS ".+\@.+\..+"