Skip to main content

Build a scope filter query

The APEX AIOps Incident Management features which include filtering (such as metrics) or automatic processing of events, alerts, or incidents based on field values (such as workflow and correlation) include a scope query filter. This filter identifies the items, according to field values, which will be processed.

To use the filter, click inside the filter box.


A list of suggested fields displays. You can select a field from the list, or you can type directly into the filter box.

Supported filter operators include:

  • equals (=)

  • not equals (!=)

  • less than (<)

  • less than or equal to (<=)

  • greater than (>)

  • greater than or equal to (>=)

  • in


  • not

  • AND

  • OR

The available operators vary depending on context. For example, a field using a string data type like description does not include greater than or less than operators, which are only applicable for numeric values.

Double quotes (or single quotes, as either is acceptable) are only required when a value contains a space. In the UI, you do not have to include double quotes around field names (this is done for you programmatically). In the following examples, double quotes are added to all field names with spaces for clarity.

Example 1. Simple queries

The following examples show the basic construction of filter queries using simple operators.

severity = Critical
status != closed
"total alerts" >= 10

The right side of the filter operator must always be a value. It cannot be another field. This is an invalid filter:

"last status change time" = "last event time"  

Example 2. Case-sensitivity


Case-sensitivity should not be used as filtering criteria in scope filters. This information is provided to clarify where case-sensitivity currently exists and to help avoid issues caused by case-sensitivity in scope filters. While case-sensitivity support currently exists and could potentially be used in scope filters, case-sensitivity will be removed in a future release, and any filters based on case will become case-insensitive, which could result in different results being matched.


The deduplication process automatically changes the case of fields used in the deduplication key to lowercase, unless a dedupe_key value is specified in the event. For more information on the deduplication key, see Configure incident similarity.

Most field values are currently case-sensitive. The following alert and incident fields are case-insensitive. Incident Management makes no differentiation between lowercase, uppercase, or mixed case for these field values:

Case-insensitive fields in Incident Management

  • dedupe key

  • assignee

  • changes

  • originator

  • priority (applies to incidents only)

  • severity

  • status

  • severity high water

All other fields are case-sensitive.

Therefore, these two key/value pairs are equivalent when evaluated by a scope filter:

"class" = "p1"
"class" = "P1"

But these two are not:

"description" = "metric"
"description" = "METRIC"

Example 3. Spaces in queries

Spaces only matter between parameters and inside double quotes. For example, this query:

severity = Critical OR severity = Major

... is not the same as this query:


... but it is the same as this query:

severity   = Critical   OR severity      = Major

Likewise, this query:

"correlation definition" = "Similar Sources"

... is not the same as this query:

"correlationdefintition" = "SimilarSources"

... or this query:

"correlation   definition" = "Similar    Sources"

... but it is the same as this one:

"correlation definition"     =      "Similar Sources"

Example 4. Using NULL in queries

To find items where a field has not yet been assigned (such as assignee, user groups, maintenance windows, or other field that is not present in the payload until assigned), you can use NULL as the value.

assignee = NULL

NULL indicates the the key is not present, or the key value is NULL. NULL is not the same as blank or an an empty string.

Example 5. The in operator

Using services with the in operator means that the filter looks for the specified strings in the services field.

services in (retail, "pharmaceutical supplies")

All list types (such as services, classes, tags) support the in operator.

Example 6. The MATCHES operator

MATCHES compares two values or strings.

In this example, only items where the description field value matches the regex in this string match this scope filter.

description MATCHES "Originates from the 192.168.[0-9]{3}.0 network"

A description value of "Originates from the network" is a match.

You can also use the MATCHES operator to perform a contains operation. It can check if the filter string is included in the received data.

This filter:

source MATCHES ".*network.*"

matches source = "AWS network" and source = "North America network router"

You can also use MATCHES with a regex to identify the start and end of strings.

description MATCHES "^1 Source:.*"     //matches strings starting with 1 Source:
tags.manager MATCHES ".*Collector$"    //matches strings ending with Collector

The MATCHES operator in scope filter queries is case-sensitive by default.

Example 7. Queries with Boolean operators

In the example below, a matching payload can contain a severity field with a value of either Critical or Major.

severity = Critical OR severity = Major

In the next example, matching alerts must match all three portions of this query: the assignee is not, a maintenance window was active, and the status is not set to In Progress.

assignee != AND "in maintenance" = true AND status != "In Progress"

Example 8. The not operator
severity not in (Unknown, Clear, Minor)
description not MATCHES "PagerDuty alert"

The not operator can be used with other operators to build queries where you want to eliminate certain matching strings. Use != instead of not to indicate that the value should not match a single value (example: manager != collector) because the not operator is not interchangeable with != in the scope query filter.

Example 9. The LIKE comparison for arrays

When the service, class, (services and classes for incidents) or description fields are used with the =, !=, or IN operators, a hidden LIKE comparison then treats the values on the right side of the operator as wildcard strings.

This scope filter:

service IN ( data, log )

checks if the alert service field includes any value containing the strings "data" or "log".

The following key/value pairs are both matches for this scope filter:

"service":[ "database" ]
"service":[ "database", "logging" ]

The preceding two key/value pairs are also matches for this scope filter:

service IN ( data, log )

However, this scope filter:

service IN (database, logging)

is not a match for this key value pair:

"service": [ "data", "log" ]