Skip to main content

Filter Search Data

You can search for specific alerts, Situations, and Impacted Services in Moogsoft Onprem using filters. The default filter views that you can access from the Workbench are Impacted Services, My Situations, Open Situations, My Alerts, and Open Alerts.

There are two types of filter: basic filter and advanced filter. Click the funnel filter icon to open the drop-down menu and switch between the filter types.

Note

Moogsoft recommends that you use the basic filter in most cases but, if you want more flexibility or need to filter for something more complex, then use the advanced filter.

You can also use SQL-like queries in the Workflow Engine filter fields. See Create an advanced filter for more information. You can also use the event_handler field as part of filters in the Workflow Engine. See Using the event_handler field in Workflow Engine entry filters for more information.

Create a basic filter

Create an advanced filter

The advanced filter is for complex queries and operates in a similar way to the basic filter but uses the Moogsoft filter query language which uses SQL-like queries. For example, to show all alerts with a 'Severity' of 'Warning' and a 'Description' of 'SocketLam Sigalised', the correct syntax is:

(Severity IN ("Warning")) AND (Description MATCHES "SocketLam Sigalised")

For more information on the query language syntax, see the tables of available operators and the examples below.

Pause alerts and Situations

You may want to click the Pause button to temporarily stop alerts or Situations being added to the Alert or Situation View. When paused, Moogsoft Onprem does not update the list with the latest data unless you apply a new filter which triggers a one-time load of data.

After you have made any edits, you can reactivate the live feed of data by clicking the Play button.

Advanced filter syntax

You can use the advanced filter query syntax to create more complex filters for alerts and Situations. This syntax uses column display name parameters alongside common query operators used in filters. The column parameters and their associated operators are listed in the sections below.

Note

The advanced filter query syntax uses the display column names (those shown in the UI) rather than the database column names.

Alert column parameters

Column Display Name

Associated Operators

Active Situations

IN

CONTAINS

=

!=

Alert Id

>

>=

<

<=

!=

=

IN

Agent Name

Agent Host

Class

Count

>

>=

<

<=

!=

=

Description

Entropy

>

>=

<

<=

!=

=

External ID

First Event Time

>

>=

<

<=

Host

Internal Last Event Time

>

>=

<

<=

Last Change

>

>=

<

<=

Last Event Time

>

>=

<

<=

Manager

Owned By

IN

=

!=

Severity

IN

=

!=

Significance

IN

=

!=

Situations

Source ID

Status

IN

=

!=

Type

Situation column parameters

Column Display Name

Associated Operators

Category

MATCHES

=

!=

Created At

>

>=

<

<=

Description

MATCHES

=

!=

First Event Time

>

>=

<

<=

ID

>

>=

<

<=

!=

=

IN

Last Change

>

>=

<

<=

Last Event Time

>

>=

<

<=

Owned By

IN

=

!=

Participants

>

>=

<

<=

!=

=

Process Impacted

CONTAINS

=

!=

Scope Trend

>0

<=0

Services Impacted

CONTAINS

=

!=

Sev Trend

>0

<=0

Severity

IN

=

!=

Status

IN

=

!=

Story

>

>=

<

<=

!=

=

Teams

IN

CONTAINS

=

!=

Total Alerts

>

>=

<

<=

!=

=

User Comments

>

>=

<

<=

!=

Creating an advanced filter

When creating an advanced filter, it should contain at least one column name, an associated operator, and a value. As a general rule, the column name should always be to the left of the operator.

If the column name or the value contains a space, it needs to be surrounded by single or double quotation marks (both " " and ' ' are accepted). This applies to columns such as External ID, Last Event Time, Last Change, Scope Trend etc. For example, 'External ID' MATCHES 01 or "External ID" MATCHES 01 are both valid.

Column names are case insensitive but the values are case sensitive. For example, 'severity' = 'Critical' is valid but 'severity' = 'critical' is not.

If you want to create a filter where the owner is empty, enter 'Owned By' = 'Moog'.

If the syntax is incorrect or invalid then the filter bar flashes, see screenshot below:

FillterSearchData6.JPG

For reference, please see the examples and screenshots displayed below.

Filter on Alert and Situation columns

You can filter on columns in Alert and Situation Views. The syntax for advanced filters uses the CONTAINS keyword. The following is an example for a custom info column named "servers.kingston":

custom_info.servers.kingston CONTAINS "kngstn::webserver::HR"

You must use full matching, rather than partial matching, which means that the whole value in the filter must appear in the list. For example, the above filter requires the list to have a "kngstn::webserver::HR" element. It does not, for example, match "kngstn::webserver".

Quotes are optional for both strings and number values. Note that no brackets are allowed around the filter value.

For this feature to work, the custom info column (in this example, "servers.kingston") must be added as a filterable column. This can be done in the UI, under System Settings > Alert / Situation Columns, or via the utilities: moog_add_alert_custom_info_field and moog_add_situation_custom_info_field. The column type must be a list (in the UI) or JSON (via a utility).

Advanced filter examples

Example 1

Severity = 'Minor' AND Description = 'Web Situation'

In this example, the filter shows all alerts with 'Minor' severity and with the description 'Web Situation':

FillterSearchData7.JPG

Example 2

Severity = 'Critical' OR (Severity = 'Major' AND description = 'SocketLam Sigalised')

In this example, the filter shows all alerts with 'Critical' severity, or 'Major' severity and with a type of 'SocketLam Sigalised':

FillterSearchData8.JPG

Example 3

Type MATCHES 'Anomalyflag' AND Count = 1

In this example, the filter shows all alerts which match the 'Anomalyflag' type and have a count of 1:

FillterSearchData9.JPG

Comparison operators

The operators that you can use in filters are described in the tables below.

Comparison operators

Operator

Description

Example

Result

=

Equal to

Alert ID = 120

Alerts which have an Alert Id of 120

<>

Not equal to

Alert ID <> 120

Alerts which do not have an Alert Id of 120

>

Greater than

ID > 100

Situations where the Situation Id is greater than 100

<

Less than

ID < 100

Situations where the Situation Id is less than 100

>=

Greater than or equal to

ID >= 100

Situations where the Situation Id is greater than or equal to 100

<=

Less than or equal to

ID <= 100

Situations where the Situation Id is less than or equal to 10

Literal operators

Operator

Description

Example

Result

' ' or " "

Single or double quotations indicate the start and end of a string value

description = "test"

Situations with 'test' as the description

( )

List of items

teams = (1,2,3)

Situations that are assigned to teams 1, 2 and 3 (and only 1, 2 and 3)

Logical operators

Operator

Description

Example

Result

AND

AND allows the existence of multiple conditions

ID < 100 AND queue=4

Situations where the Situation Id is less than 100 and the queue is 4 (both must be true)

OR

OR is used to combine multiple conditions

ID < 100 OR queue=4

Situations where either the Situation Id is less than 100 or the queue is 4

NOT

Reverses the meaning of the logical operator used. E.g. NOT IN, IS NOT NULL etc.

queue NOT IN (1,2,3)

Situations where the queue is not 1, 2 or 3

Other operators

Operator

Description

Example

Result

IN

Compares a value to a list of specified values

queue IN (1,2,3)

Situations where the queue is 1, 2 or 3

IS NULL

Compares with a NULL value

queue IS NULL

Situations where there is no queue

MATCHES

Matches the regular expression

description MATCHES "test"

Situations where the description matches the regular expression "test"

ANY_MATCH

Any matches of the regular expression

teams ANY_MATCH "team[0-9]+"

Situations where one of the teams names match the regular expression team[0-9]+

ALL_MATCH

All matches of the regular expression

teams ALL_MATCH "team[0-9]+"

Situations where all of teams names match the regular expression team[0-9]+

CONTAINS

Contains the value

teams CONTAINS (1,2,3)

Situations where the teams contain 1, 2 and 3

Using the event_handler field in Workflow Engine entry filters

You can use the event_handler field as part of an Entry Filter in the Workflow Engine. See Manage Workflows for more information on Workflow Engine workflows.

Valid values in Alert Workflows are:

Field

Description

Alert

Alert was created.

AlertAction

A tool was run on the alert.

AlertClose

Alert was closed.

AlertUpdate

Alert was updated.

ArchivedAlert

Alert was moved to the historic database.

Valid values in Situation Workflows are:

Field

Description

ArchivedSig

Situation was moved to the historic database.

Feedback

A user provided feedback on the Situation.

NewThreadEntry

A new thread entry was added to the Situation.

Sig

Situation was created.

SigAction

A Situation event occurred.

SigClose

Situation was closed.

SigStatus

Situation's status was changed.

SigUpdate

Situation was updated.

ThreadEntry

A thread entry on the Situation has changed.