Filter syntax

The described syntax rules apply to the Dimension filters and Output filters in the alert definition wizard.

Filtering on numeric fields

The following syntax can be used for numeric fields:

A single numeric value

To match one particular value.

All numbers less than the specified value

Use a less-than sign “< ” followed by the number. For example, <400 means all values less than 400.

All numbers greater than the specified value

Use a greater-than sign “> ” followed by the number. For example, >400 means all values greater than 400.

All numbers less than or equal to the specified value

Use a less-than sign “< ” followed by an equal sign “= ” and the number. For example <=400 means all values less than or equal to 400.

All numbers greater than or equal to the specified value

Use a greater-than sign “> ” followed by an equal sign “= ” and the number. For example >=400 means all values greater than or equal to 400.

A range of numbers

Use a dash to specify a range of numbers, including the numbers at both end of the interval. For example, 127-255 means all values between 127 and 255 including 127 and 255.

A negative condition

Use a tilde character “~ ” to match all values except those that conform to the specified pattern. For example, ~400 will filter all values that are not 400.

Logical disjunction (OR) of your match conditions

Use a pipe symbol “| ” to filter values that match one of the specified conditions. For example, 400|500 will filter all values that are 400 or 500.

Enumeration of values to match

Use a comma to enumerate values.

Any value

An empty pattern means there is no filter and all values will be accepted.

A value range suffixes

You can also use suffixes k, M, G, T for kilo, mega, giga, and tera.

Filtering on text fields

The following syntax can be used for text fields:

Match any string containing the specified pattern

If you specify an unquoted string, it will be matched with all string that contain that substring. For example, RG will filter all strings containing RG, such as RG_1, BUSS_RG, BG_RG_3

Match a string exactly

If you enclose the string you specify in quotation marks ("), it will be matched exactly, that is it will only filter that string and not strings that contain it. For example, "RG_2"

Any character

If in a given place in your pattern you want to relax your match condition to match any character, use a question mark “? ”. For example, A?B will match ABC as well as ACC .

Any substring

If in a given place in your pattern you want to relax your match condition to match any substring, use the asterisk character “* ”. For example *RG will filter all strings ending with RG and RG* will filter all strings starting with RG .

A negative condition

You can request to match all strings except those that conform to the specified pattern. To do this, precede your pattern with the tilde character “~ ”. For example, ˜WWW will filter all strings that do not contain substring WWW .

Logical disjunction (OR) of your match conditions

To filter a string that matches one of the specified strings, use a pipe symbol “| ”. For example, WWW|HTTP will filter all strings containing WWW or HTTP .

Logical conjunction (AND) of your match conditions

To filter a string that matches all of the specified strings, use an ampersand “& ”. For example, WWW&HTTP will filter all strings containing WWW and HTTP .

Enumeration of strings to match

Use a comma to enumerate values.

Match any string

An empty string means there is no filter and all values will be accepted. This is equivalent to specifying a single asterisk “* ”.

You can combine conditional syntax with logical syntax as shown as in the example below:

Example of combined filter syntax

Let us assume that you need to filter out the following services:

  • SMTP_PROD
  • DNS
  • FTP
  • HTTP

For that purpose, type the following expression in the :

~SMTP_PROD & ~DNS & ~FTP & ~HTTP

Filtering on IP address fields

The following syntax can be used for IP address fields: #.#.#.#, where # is any integer from 0 and 255. You can also use an asterisk * instead of a number.

Address types IPv4 and IPv6 are both supported.