Filter Search Data
You can search for specific alerts, Situations, and Impacted Services in Moogsoft Onprem using filters. The default filter views that you can access from the Workbench are Impacted Services, My Situations, Open Situations, My Alerts, and Open Alerts.
There are two types of filter: basic filter and advanced filter. Click the funnel filter icon to open the drop-down menu and switch between the filter types.
Note
Moogsoft recommends that you use the basic filter in most cases but, if you want more flexibility or need to filter for something more complex, then use the advanced filter.
You can also use SQL-like queries in the Workflow Engine filter fields. See Create an advanced filter for more information. You can also use the event_handler
field as part of filters in the Workflow Engine. See Using the event_handler
field in Workflow Engine entry filters for more information.
Create a basic filter
Create an advanced filter
The advanced filter is for complex queries and operates in a similar way to the basic filter but uses the Moogsoft filter query language which uses SQL-like queries. For example, to show all alerts with a 'Severity' of 'Warning' and a 'Description' of 'SocketLam Sigalised', the correct syntax is:
(Severity IN ("Warning")) AND (Description MATCHES "SocketLam Sigalised")
For more information on the query language syntax, see the tables of available operators and the examples below.
Pause alerts and Situations
You may want to click the Pause button to temporarily stop alerts or Situations being added to the Alert or Situation View. When paused, Moogsoft Onprem does not update the list with the latest data unless you apply a new filter which triggers a one-time load of data.
After you have made any edits, you can reactivate the live feed of data by clicking the Play button.
Advanced filter syntax
You can use the advanced filter query syntax to create more complex filters for alerts and Situations. This syntax uses column display name parameters alongside common query operators used in filters. The column parameters and their associated operators are listed in the sections below.
Note
The advanced filter query syntax uses the display column names (those shown in the UI) rather than the database column names.
Alert column parameters
Column Display Name | Associated Operators |
Active Situations | IN CONTAINS = != |
Alert Id | > >= < <= != = IN |
Agent Name | |
Agent Host | |
Class | |
Count | > >= < <= != = |
Description | |
Entropy | > >= < <= != = |
External ID | |
First Event Time | > >= < <= |
Host | |
Internal Last Event Time | > >= < <= |
Last Change | > >= < <= |
Last Event Time | > >= < <= |
Manager | |
Owned By | IN = != |
Severity | IN = != |
Significance | IN = != |
Situations | |
Source ID | |
Status | IN = != |
Type |
Situation column parameters
Column Display Name | Associated Operators |
Category | MATCHES = != |
Created At | > >= < <= |
Description | MATCHES = != |
First Event Time | > >= < <= |
ID | > >= < <= != = IN |
Last Change | > >= < <= |
Last Event Time | > >= < <= |
Owned By | IN = != |
Participants | > >= < <= != = |
Process Impacted | CONTAINS = != |
Scope Trend | >0 <=0 |
Services Impacted | CONTAINS = != |
Sev Trend | >0 <=0 |
Severity | IN = != |
Status | IN = != |
Story | > >= < <= != = |
Teams | IN CONTAINS = != |
Total Alerts | > >= < <= != = |
User Comments | > >= < <= != |
Creating an advanced filter
When creating an advanced filter, it should contain at least one column name, an associated operator, and a value. As a general rule, the column name should always be to the left of the operator.
If the column name or the value contains a space, it needs to be surrounded by single or double quotation marks (both " " and ' ' are accepted). This applies to columns such as External ID, Last Event Time, Last Change, Scope Trend etc. For example, 'External ID' MATCHES 01 or "External ID" MATCHES 01 are both valid.
Column names are case insensitive but the values are case sensitive. For example, 'severity' = 'Critical' is valid but 'severity' = 'critical' is not.
If you want to create a filter where the owner is empty, enter 'Owned By' = 'Moog'.
If the syntax is incorrect or invalid then the filter bar flashes, see screenshot below:
For reference, please see the examples and screenshots displayed below.
Filter on Alert and Situation columns
You can filter on columns in Alert and Situation Views. The syntax for advanced filters uses the CONTAINS keyword. The following is an example for a custom info column named "servers.kingston":
custom_info.servers.kingston CONTAINS "kngstn::webserver::HR"
You must use full matching, rather than partial matching, which means that the whole value in the filter must appear in the list. For example, the above filter requires the list to have a "kngstn::webserver::HR" element. It does not, for example, match "kngstn::webserver".
Quotes are optional for both strings and number values. Note that no brackets are allowed around the filter value.
For this feature to work, the custom info column (in this example, "servers.kingston") must be added as a filterable column. This can be done in the UI, under System Settings > Alert / Situation Columns, or via the utilities: moog_add_alert_custom_info_field and moog_add_situation_custom_info_field. The column type must be a list (in the UI) or JSON (via a utility).
Advanced filter examples
Example 1
Severity = 'Minor' AND Description = 'Web Situation'
In this example, the filter shows all alerts with 'Minor' severity and with the description 'Web Situation':
Example 2
Severity = 'Critical' OR (Severity = 'Major' AND description = 'SocketLam Sigalised')
In this example, the filter shows all alerts with 'Critical' severity, or 'Major' severity and with a type of 'SocketLam Sigalised':
Example 3
Type MATCHES 'Anomalyflag' AND Count = 1
In this example, the filter shows all alerts which match the 'Anomalyflag' type and have a count of 1:
Comparison operators
The operators that you can use in filters are described in the tables below.
Comparison operators
Operator | Description | Example | Result |
= | Equal to | Alert ID = 120 | Alerts which have an Alert Id of 120 |
<> | Not equal to | Alert ID <> 120 | Alerts which do not have an Alert Id of 120 |
> | Greater than | ID > 100 | Situations where the Situation Id is greater than 100 |
< | Less than | ID < 100 | Situations where the Situation Id is less than 100 |
>= | Greater than or equal to | ID >= 100 | Situations where the Situation Id is greater than or equal to 100 |
<= | Less than or equal to | ID <= 100 | Situations where the Situation Id is less than or equal to 10 |
Literal operators
Operator | Description | Example | Result |
' ' or " " | Single or double quotations indicate the start and end of a string value | description = "test" | Situations with 'test' as the description |
( ) | List of items | teams = (1,2,3) | Situations that are assigned to teams 1, 2 and 3 (and only 1, 2 and 3) |
Logical operators
Operator | Description | Example | Result |
AND | AND allows the existence of multiple conditions | ID < 100 AND queue=4 | Situations where the Situation Id is less than 100 and the queue is 4 (both must be true) |
OR | OR is used to combine multiple conditions | ID < 100 OR queue=4 | Situations where either the Situation Id is less than 100 or the queue is 4 |
NOT | Reverses the meaning of the logical operator used. E.g. NOT IN, IS NOT NULL etc. | queue NOT IN (1,2,3) | Situations where the queue is not 1, 2 or 3 |
Other operators
Operator | Description | Example | Result |
IN | Compares a value to a list of specified values | queue IN (1,2,3) | Situations where the queue is 1, 2 or 3 |
IS NULL | Compares with a NULL value | queue IS NULL | Situations where there is no queue |
MATCHES | Matches the regular expression | description MATCHES "test" | Situations where the description matches the regular expression "test" |
ANY_MATCH | Any matches of the regular expression | teams ANY_MATCH "team[0-9]+" | Situations where one of the teams names match the regular expression team[0-9]+ |
ALL_MATCH | All matches of the regular expression | teams ALL_MATCH "team[0-9]+" | Situations where all of teams names match the regular expression team[0-9]+ |
CONTAINS | Contains the value | teams CONTAINS (1,2,3) | Situations where the teams contain 1, 2 and 3 |
Using the event_handler
field in Workflow Engine entry filters
You can use the event_handler
field as part of an Entry Filter in the Workflow Engine. See Manage Workflows for more information on Workflow Engine workflows.
Valid values in Alert Workflows are:
Field | Description |
---|---|
Alert | Alert was created. |
AlertAction | A tool was run on the alert. |
AlertClose | Alert was closed. |
AlertUpdate | Alert was updated. |
ArchivedAlert | Alert was moved to the historic database. |
Valid values in Situation Workflows are:
Field | Description |
---|---|
ArchivedSig | Situation was moved to the historic database. |
Feedback | A user provided feedback on the Situation. |
NewThreadEntry | A new thread entry was added to the Situation. |
Sig | Situation was created. |
SigAction | A Situation event occurred. |
SigClose | Situation was closed. |
SigStatus | Situation's status was changed. |
SigUpdate | Situation was updated. |
ThreadEntry | A thread entry on the Situation has changed. |