Document toolboxDocument toolbox

Filter

Description

This unit is a Processor unit.

This unit filters inbound events based on a true/false condition set in the unit properties.

An inbound event is received through the in port. Then, the event is evaluated against the unit's condition. If the result is true, the event is sent to the out output port. If the result is false, the event is sent to the discarded output port. If the evaluation produces an error, the event is sent to the error port.

Configuration

After dragging this unit into the Flow canvas, double-click it to access its configuration options. The following table describes the configuration options of this unit:

Tab

Field

Description

Tab

Field

Description

General

Name

Enter a name for the unit. It must start with a letter, and cannot contain spaces. Only letters, numbers, and underscores are allowed.

Description

Enter a description detailing the scope of the unit.

Language

Specify the language you will use to write the expression in the Predicate, e.g. Javascript, Groovy, etc.

Predicate

The condition you wish to evaluate. Open the expression editor to type an expression, stating the input fields and the condition you wish to apply to each.

Input ports

Port

Description

Port

Description

in

All events enter through this port.

Output ports

Port

Description

Port

Description

out

This port outputs only those events for which the unit's condition is "true".

discarded

This port outputs only those events for which the unit's condition is "false".

error

This port outputs events that generated an error when evaluated against the condition. Standard error fields (error, exception) are added to the output events.

Example

In this example, we want to send events related to a single user in our domain from the siem.logtrust.web.activity table to a new my.app table. 

To do it, we will use a Devo source unit to get events from the siem.logtrust.web.activity table. Then, we will link it to a Filter unit that will only send events containing the email of the required user. Finally, we will link its out output port to a Devo sink unit to send the filtered events to a my.app table.

In the Filter unit settings, we add the following predicate to remove null values in the username column and filter only events related to a specific user mail:

username != null && username.equals("user_mail")

Download this example

You can try this flow by downloading this JSON and uploading it to your domain using the Import option: