Filter
Description
This unit is a Processor unit.
This unit filters inbound events based on a true/false condition set in the unit properties.
An inbound event is received through the in port. Then, the event is evaluated against the unit's condition. If the result is true, the event is sent to the out output port. If the result is false, the event is sent to the discarded output port. If the evaluation produces an error, the event is sent to the error port.
Configuration
After dragging this unit into the Flow canvas, double-click it to access its configuration options. The following table describes the configuration options of this unit:
Tab | Field | Description |
---|---|---|
General | Name | Enter a name for the unit. It must start with a letter, and cannot contain spaces. Only letters, numbers, and underscores are allowed. |
Description | Enter a description detailing the scope of the unit. | |
Language | Specify the language you will use to write the expression in the Predicate, e.g. Javascript, Groovy, etc. | |
Predicate | The condition you wish to evaluate. Open the expression editor to type an expression, stating the input fields and the condition you wish to apply to each. |
Input ports
Port | Description |
---|---|
in | All events enter through this port. |
Output ports
Port | Description |
---|---|
out | This port outputs only those events for which the unit's condition is "true". |
discarded | This port outputs only those events for which the unit's condition is "false". |
error | This port outputs events that generated an error when evaluated against the condition. Standard error fields (error, exception) are added to the output events. |
Example
In this example, we want to send events related to a single user in our domain from the siem.logtrust.web.activity table to a new my.app table.
To do it, we will use a Devo source unit to get events from the siem.logtrust.web.activity table. Then, we will link it to a Filter unit that will only send events containing the email of the required user. Finally, we will link its out output port to a Devo sink unit to send the filtered events to a my.app table.
In the Filter unit settings, we add the following predicate to remove null values in the username column and filter only events related to a specific user mail:
username != null && username.equals("user_mail")
Download this example
You can try this flow by downloading this JSON and uploading it to your domain using the Import option: