Versions Compared

Old Version 14

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can filter your data in several different ways:

Using the Operations over

...

fields window

You can use this window to specify the arguments needed for the operation following the procedure explained below:

Rw ui steps macro
Rw step

Select the Filter icon in the search window toolbar. The Operations over columnsfields window appears with the Filter tab selected.

Image RemovedImage Added
Rw step

Choose the required filter type in the OperationMain operation dropdown list. For a detailed list of available operations in Devo, check Operations reference.

You can click the icon next to the dropdown menu to filter the list of operations as required:

  • Operation type - Choose Normal if you want to display the values filtered, or Negated if you want to exclude the values filtered by the operation selected.

  • Operation category - Filter only Standard operations (default operations in Devo), Custom operations (operations defined by lookups), or All.

  • Sensitivity - Some operations have a case sensitive and a case insensitive version, for example, Contains - case insensitive (weakhas) and Contains (has, ->). Use these options to display only the sensitive or insensitive versions of these operations, or choose all to show both versions. Operations that don't have a sensitive and insensitive version will be visible regardless of the option selected. You can select the default option in your User preferences, and Admin users can do the same for all the users in the domain in their Domain preferences.

Image RemovedImage Added
Rw step

Select the Arguments of the selected filter operation by clicking the Add argument button. Depending on the filter type selected, you will be prompted to select a set of specific arguments. 

You can select columns fields or also enter free text by clicking the icon shown below, as is sometimes required for an operation. For example, you might filter for URLs that contain the string bing

Image RemovedImage Added

Additionally, you can include nested operations to modify the results of the column field values or results of the main filter operation selected. Learn more about nested operations in Build a query in the search window.

Rw step

Click Filter when you're done. The data table will only show those events that meet the conditions of the filter applied.

Using the

...

field header list of values

Select the arrow icon that appears when hovering over a column field header to see the list of distinct values in that columnfield, then click a value name. The Operations over columns fields window will be open in the Filter tab, and the Equal - case insensitive (eqic) operation selected. The column field and value selected will be automatically added as arguments of the filter.

...

Rw ui textbox macro
typeinfo

Unnamed columnsfields

This filter option is not available for unnamed columns fields with literals or expressions. See the examples below:

Code Block
from siem.logtrust.web.activity
select responseTime*2
from siem.logtrust.web.activity
select 5
select "hello"

...

Alternatively, you can use a cell's content as filtering criteria to quickly include all the arguments needed for the operation. If you place the cursor over a cell on the data table and press

Status
subtletrue
titleEnter
, the Operations over columns fields window will be open with the Filter tab and the Equal - case insensitive (eqic) operation selected. The arguments will be automatically filled with the values of the cell and its column field (ValueColumnField, Is equal to → Cell).

...

Anchor
filternewtab
filternewtab

Using cell value to filter in a new tab

Expand
titleWatch video tutorial
Widget Connector
overlayyoutube
_templatecom/atlassian/confluence/extra/widgetconnector/templates/youtube.vm
width600px
urlhttp://youtube.com/watch?v=IAZbA-K4eIw
height300px

...

These separate searches function as independent searches, so modifying or closing one does not affect the other. This way we experience a higher degree of versatility in our workflow getting the ability to work with different variables and outcomes separately, and additionally, we get the ability to perform the filter operation with just two clicks.

...

Filter on raw

In all data tables, the entire event is logged in a Raw field displaying event data as a string. This string will be logged as various names depending on the table: rawMessage, rawSource, or raw.

Use the Filter on rawfield to search for keywords throughout the entire raw data field, instead of filtering by specific field.

...

...

Info

Naming protocol

Given the different names for raw fields, the LINQ expression will differ as follows (in order of search priority):

  1. where weaktoktains (rawMessage, “<value>”)”

  2. where weaktoktains (rawSource, “<value>”)”

  3. where weaktoktains (raw, “<value>”)”

Related article: