Moogsoft Docs

Advanced Filter Query Syntax

The Advanced Filter query syntax can be used to create more complex filters for Alerts and Situations.

This syntax uses column display name parameters alongside common query operators used in filters. The column parameters and their associated operators are listed in the sections below.

Note

Please note : The Advanced Filter query syntax uses the display column names (those shown in the UI) rather than the database column names

Alert Column Parameters

Column Display Name
Associated Operators
Active Situations

IN
CONTAINS
=
!=

Alert Id

>
>=
<
<=
!=
=
IN

Agent Name MATCHES
=
!=
Agent Host MATCHES
=
!=
Class MATCHES
=
!=
Count >
>=
<
<=
!=
=
Description MATCHES
=
!=
Entropy >
>=
<
<=
!=
=
External ID MATCHES
=
!=
First Event Time >
>=
<
<=
Host MATCHES
=
!=
Internal Last Event Time >
>=
<
<=
Last Change >
>=
<
<=
Last Event Time >
>=
<
<=
Manager MATCHES
=
!=
Owned By IN
=
!=
Severity IN
=
!=
Significance IN
=
!=
Situations IN
CONTAINS
=
!=
Source ID MATCHES
=
!=
Status IN
=
!=
Type MATCHES
=
!=

Situation Column Parameters

Column Display Name
Associated Operators
Category MATCHES
=
!=
Created At >
>=
<
<=
Description MATCHES
=
!=
First Event Time >
>=
<
<=
ID >
>=
<
<=
!=
=
IN
Last Change >
>=
<
<=
Last Event Time >
>=
<
<=
Owned By IN
=
!=
Participants >
>=
<
<=
!=
=
Process Impacted IN
CONTAINS
=
!=
Scope Trend >0
<=0
Services Impacted IN
CONTAINS
=
!=
Sev Trend >0
<=0
Severity IN
=
!=
Status IN
=
!=
Story >
>=
<
<=
!=
=
Teams IN
CONTAINS
=
!=
Total Alerts >
>=
<
<=
!=
=
User Comments >
>=
<
<=
!=

The associated operators are described in the tables below.

Comparison Operators

Operator Description Example Result
= Equal to
Alert ID = 120
Alerts which have an Alert Id of 120
<> Not equal to
Alert ID <> 120
Alerts which do not have an Alert Id of 120
> Greater than
ID > 100
Situations where the Situation Id is greater than 100
< Less than
ID < 100
Situations where the Situation Id is less than 100
>= Greater than or equal to
ID >= 100
Situations where the Situation Id is greater than or equal to 100
<= Less than or equal to
ID <= 100

Situations where the Situation Id is less than or equal to 10

Literal Operators

Operator Description Example Result
' ' or " " Single or double quotations indicate the start and end of a string value
description = "test"
Situations with 'test' as the description
( ) List of items
teams = (1,2,3)

Situations that are assigned to teams 1, 2 and 3 (and only 1, 2 and 3)

Logical Operators

Operator Description Example Result
AND AND allows the existence of multiple conditions
ID < 100 AND queue=4
Situations where the Situation Id is less than 100 and the queue is 4 (both must be true)
OR OR is used to combine multiple conditions
ID < 100 OR queue=4
Situations where either the Situation Id is less than 100 or the queue is 4
NOT Reverses the meaning of the logical operator used. E.g. NOT IN, IS NOT NULL etc.
queue NOT IN (1,2,3)
Situations where the queue is not 1, 2 or 3

Other Operators

Operator Description Example Result
IN Compares a value to a list of specified values
queue IN (1,2,3)
Situations where the queue is 1, 2 or 3
IS NULL Compares with a NULL value
queue IS NULL
Situations where there is no queue
MATCHES Matches the regular expression
description MATCHES "test"
Situations where the description matches the regular expression "test"
ANY_MATCH Any matches of the regular expression
teams ANY_MATCH "team[0-9]+"
Situations where one of the teams names match the regular expression team[0-9]+
ALL_MATCH All matches of the regular expression
teams ALL_MATCH "team[0-9]+"
Situations where all of teams names match the regular expression team[0-9]+
CONTAINS Contains the value
teams CONTAINS (1,2,3)
Situations where the teams contain 1, 2 and 3

Creating an Advanced Filter

When creating an Advanced Filter, it should contain at least one column name, an associated operator and a value. As a general rule, the column name should always be to the left of the operator.

Warning

Important: If the column name or the value contains a space then it needs to be surrounded by single or double quotation marks (both " " and ' ' are accepted). This applies to columns such as External ID, Last Event Time, Last Change, Scope Trend etc. For example, 'External ID' MATCHES 01 or "External ID" MATCHES 01 are both valid.

It is also important to note that column names are case insensitive but the values are case sensitive. For example, 'severity' = 'Critical' is valid but 'severity' = 'critical' is not.

If the syntax is incorrect or invalid then the filter bar will flash, see screenshot below:

For reference please see the examples and screenshots displayed below:

Example 1

Severity = 'Critical' AND Description = 'Desc1'

In this example, the filter shows all Alerts with 'Critical' severity and with the description 'Desc1':

Example 2

Severity = 'Critical' OR (Severity = 'Major' AND description = 'SocketLam Sigalised')

In this example, the filter shows all Alerts with 'Critical' or 'Major' severity and with a type of 'SocketLam Sigalised':

Example 3

Type MATCHES 'Anomalyflag' AND Count = 1

In this example, the filter shows all Alerts which match the 'Anomalyflag' type and have a count of 1:


Note

Quick tip : If you want to create a filter where the owner is empty, enter 'Owned By' = 'Moog'