Skip to main content

Build a scope filter query

The Moogsoft Cloud features which include filtering (such as metrics) or automatic processing of events, alerts, or incidents based on field values (such as workflow and correlation) include a scope query filter. This filter identifies the items, according to field values, which will be processed.

To use the filter, click inside the filter box.

ScopeFilterFields.png

A list of suggested fields displays. You can select a field from the list, or you can type directly into the filter box.

Supported filter operators include:

  • equals (=)

  • not equals (!=)

  • less than (<)

  • less than or equal to (<=)

  • greater than (>)

  • greater than or equal to (>=)

  • in

  • MATCHES

  • not

  • AND

  • OR

The available operators vary depending on context. For example, a field using a string data type like description does not include greater than or less than operators, which are only applicable for numeric values.

Double quotes are only required when a value contains a space. In the UI, you do not have to include double quotes around field names (this is done for you programmatically). In the following examples, double quotes are added to all field names with spaces for clarity.

Example 1. Simple queries

The following examples show the basic construction of filter queries using simple operators.

severity = Critical
status != closed
"total alerts" >= 10


Example 2. Using NULL in queries

To find items where a field has not yet been assigned (such as assignee, user groups, maintenance windows, or other field that is not present in the payload until assigned), you can use NULL as the value.

assignee = NULL

NULL indicates the the key is not present, or the key value is NULL. NULL is not the same as blank or an an empty string.



Example 3. The in operator

Using services with the in operator means that the filter looks for the specified strings in the services field. 

services in (retail, "pharmaceutical supplies")

All list types (such as services, classes, tags) support the in operator.



Example 4. The MATCHES operator

Only items where the description field value matches the regex in this string will match this filter.

A description value of "Originates from the 192.168.089.0 network" would match.

description MATCHES "Originates from the 192.168.[0-9]{3}.0 network"

You can also use the MATCHES operator to perform a contains operation. It will check if the filter string is included in the received data.

This filter:

source MATCHES ".*network.*"

matches source = "AWS network" and source = "North America network router"

You can also use MATCHES with a regex to identify the start and end of strings.

description MATCHES "^1 Source:.*"     //matches strings starting with 1 Source:
tags.manager MATCHES ".*Collector$"    //matches strings ending with Collector


Example 5. Queries with Boolean operators

In the example below, a matching payload can contain a severity field with a value of either Critical or Major.

severity = Critical OR severity = Major

In the next example, matching alerts must match all three portions of this query: the assignee is not user1@example.com, a maintenance window was active, and the status is not set to In Progress.

assignee != user1@example.com AND "in maintenance" = true AND status != "In Progress"


Example 6. The not operator
severity not in (Unknown, Clear, Minor)
description not MATCHES "PagerDuty alert"

The not operator can be used with other operators to build queries where you want to eliminate certain matching strings. Use != instead of not to indicate that the value should not match a single value (example: manager != collector) because the not operator is not interchangeable with != in the scope query filter.



In this section: