Page tree
Skip to end of metadata
Go to start of metadata

The Advanced Filter query syntax can be used to create more complex filters for Alerts and Situations.

This syntax uses column display name parameters alongside common query operators used in filters. The column parameters and their associated operators are listed in the sections below.

Please note: The Advanced Filter query syntax uses the display column names (those shown in the UI) rather than the database column names

Alert Column Parameters

Column Display Name
Associated Operators
Active Situations

IN
CONTAINS
=
!=

Alert Id

>
>=
<
<=
!=

IN

Agent NameMATCHES
=
!=
Agent HostMATCHES
=
!=
ClassMATCHES
=
!=
Count>
>=
<
<=
!=
DescriptionMATCHES
=
!=
Entropy>
>=
<
<=
!=
External IDMATCHES
=
!=
First Event Time>
>=
<
<=
HostMATCHES
=
!=
Internal Last Event Time>
>=
<
<=
Last Change>
>=
<
<=
Last Event Time>
>=
<
<=
ManagerMATCHES
=
!=
Owned ByIN
=
!=
SeverityIN
=
!=
SignificanceIN
=
!=
SituationsIN
CONTAINS
=
!=
Source IDMATCHES
=
!=
StatusIN
=
!=
TypeMATCHES
=
!=

Situation Column Parameters

Column Display Name
Associated Operators
CategoryMATCHES
=
!=
Created At>
>=
<
<=
DescriptionMATCHES
=
!=
First Event Time>
>=
<
<=
ID>
>=
<
<=
!=

IN
Last Change>
>=
<
<=
Last Event Time>
>=
<
<=
Owned ByIN
=
!=
Participants>
>=
<
<=
!=
Process ImpactedIN
CONTAINS
=
!=
Scope Trend>0
<=0
Services ImpactedIN
CONTAINS
=
!=
Sev Trend>0
<=0
SeverityIN
=
!=
StatusIN
=
!=
Story>
>=
<
<=
!=
TeamsIN
CONTAINS
=
!=
Total Alerts>
>=
<
<=
!=
User Comments>
>=
<
<=
!=

The associated operators are described in the tables below.

Comparison Operators

OperatorDescriptionExampleResult
=Equal to
Alert ID = 120
Alerts which have an Alert Id of 120
<>Not equal to
Alert ID <> 120
Alerts which do not have an Alert Id of 120
>Greater than
ID > 100
Situations where the Situation Id is greater than 100
<Less than
ID < 100
Situations where the Situation Id is less than 100
>=Greater than or equal to
ID >= 100
Situations where the Situation Id is greater than or equal to 100
<=Less than or equal to
ID <= 100

Situations where the Situation Id is less than or equal to 10

Literal Operators

OperatorDescriptionExampleResult
' ' or " "Single or double quotations indicate the start and end of a string value
description = "test"
Situations with 'test' as the description
( )List of items
teams = (1,2,3)

Situations that are assigned to teams 1, 2 and 3 (and only 1, 2 and 3)

Logical Operators

OperatorDescriptionExampleResult
ANDAND allows the existence of multiple conditions
ID < 100 AND queue=4
Situations where the Situation Id is less than 100 and the queue is 4 (both must be true)
OROR is used to combine multiple conditions
ID < 100 OR queue=4
Situations where either the Situation Id is less than 100 or the queue is 4
NOTReverses the meaning of the logical operator used. E.g. NOT IN, IS NOT NULL etc.
queue NOT IN (1,2,3)
Situations where the queue is not 1, 2 or 3

Other Operators

OperatorDescriptionExampleResult
INCompares a value to a list of specified values
queue IN (1,2,3)
Situations where the queue is 1, 2 or 3
IS NULLCompares with a NULL value
queue IS NULL
Situations where there is no queue
MATCHESMatches the regular expression
description MATCHES "test"
Situations where the description matches the regular expression "test"
ANY_MATCHAny matches of the regular expression
teams ANY_MATCH "team[0-9]+"
Situations where one of the teams names match the regular expression team[0-9]+
ALL_MATCHAll matches of the regular expression
teams ALL_MATCH "team[0-9]+"
Situations where all of teams names match the regular expression team[0-9]+
CONTAINSContains the value
teams CONTAINS (1,2,3)
Situations where the teams contain 1, 2 and 3

Creating an Advanced Filter

When creating an Advanced Filter, it should contain at least one column name, an associated operator and a value. As a general rule, the column name should always be to the left of the operator.

Important: If the column name or the value contains a space then it needs to be surrounded by single or double quotation marks (both " " and ' ' are accepted). This applies to columns such as External ID, Last Event Time, Last Change, Scope Trend etc. For example, 'External ID' MATCHES 01 or "External ID" MATCHES 01 are both valid.

It is also important to note that column names are case insensitive but the values are case sensitive. For example, 'severity' = 'Critical' is valid but 'severity' = 'critical' is not.

If the syntax is incorrect or invalid then the filter bar will flash, see screenshot below:

For reference please see the examples and screenshots displayed below:

Example 1

Severity = 'Critical' AND Description = 'Desc1'

In this example, the filter shows all Alerts with 'Critical' severity and with the description 'Desc1':

Example 2

Severity = 'Critical' OR (Severity = 'Major' AND description = 'SocketLam Sigalised')

In this example, the filter shows all Alerts with 'Critical' or 'Major' severity and with a type of 'SocketLam Sigalised':

Example 3

Type MATCHES 'Anomalyflag' AND Count = 1

In this example, the filter shows all Alerts which match the 'Anomalyflag' type and have a count of 1:

Quick tip: If you want to create a filter where the owner is empty, enter 'Owned By' = 'Moog'