Manual Chapter : Managing Log Filters

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Managing Log Filters

Create a new log filter

You can create new filters to better manage the events in your logs. The filters are based on a fixed set of query parameters, with an option to manually enter all available parameters into a query expression. For more details about the required syntax, see
Query expression syntax for log filters.
  1. From the log screen, click the filter icon at the top right of the screen ().
  2. Click
    Create
    .
    The New Filter configuration popup screen opens.
  3. Type a unique
    Filter Name
    .
  4. In the Query Parameters area, add the query information.
    Adding information to these fields automatically populates the
    Query Expression
    box. Refer to the Query expression syntax for log filters to view all query options.
  5. Once you have the custom filter the way you want it, click
    Save & Apply
    .
The new filter is added to the filter list. You can select this filter later to query the list according to the set parameters.

Query expression syntax for log filters

On the New Filter configuration popup screen, the Query Expression area for creating a new log filter requires specific syntax. To manually run query parameters, use the syntax requirements listed here.
General Syntax
  • Express elements of the filter query as key value pairs, separated by a colon, such as
    profile_name:"MyCurrentProfile"
    .
  • Use the following operators within a filter query.
    Operator
    Usage Example
    AND
    This:p1 AND bar:(A AND B AND "another value")
    AND NOT
    AND NOT qux:error
    OR
    name:"this is a name" OR bar:(A OR B OR C)
    OR NOT
    OR NOT qux:error
    *
    support_id:*123*
    . This operator can only be used for text fields.
  • Enclose values that have spaces within quotation marks, such as
    key:"two words"
    .
  • Query any field for more than one value by enclosing the values with parentheses, such as
    key:(a b "two words")
    . In this case, the default operator is OR.
  • Only pre-defined values are allowed for fields with a type of multi-value. These values are listed in the Query Parameters area, next to the relevant field.
  • In a policy name, you must include the full path to the policy, such as
    /Common/MyPolicy
    .
Dates
  • Values with a type of date can accept valid date formats, such as
    'Oct 30, 2017 00:00:00'
    .
  • Values of the date range type can accept input in the format of
    [min_date...max_date]
    , such as
    '[Oct 30, 2017 00:00:00...Oct 30, 2017 06:00:00]'
    . The date range might also contain only minimum without maximum, and the reverse, such as
    '[Oct 30, 2017 00:00:00...]'
    or
    '[...Oct 30, 2017 00:00:00]'
    .
Numeric Values
  • Values of the numeric range type can accept input in the format of
    [min...max]
    , such as
    '[1...100]'
    . The numeric range might also contain only minimum without maximum, and the reverse, such as
    '[1...]'
    or
    '[...100]'
    .