Advanced Text Processing

Top Previous Next

Comma Separated Values

You can separate multiple values with a comma to avoid creating multiple filters. Simply combine all the values the field should match with commas and make sure you are not using a space after or before the comma. For example:

Print,MrxSmb

All fields in the "Details" section and the "Filter Text" support this feature.

Negation Symbol

You can negate a value by prepending it with an exclamation mark. For example, to match all events except for those with the source of Print you could use the following:

!Print

Do not combine regular values (values with the negation character) and values with a negation character (e.g. "!Print,MrxSmb" is not supported). All fields in the "Details" section support this feature.

Wildcard Feature

When Wildcard Support is activated in the general options then the following filter fields will support wildcards:

Filters

1. Event Source

2. Category

3. Username

4. Filter Text

Computer

Service Monitoring

1. Included/Excluded Service

Process Tracking

1. Included/Excluded Process

The wildcards * and ? are currently supported.

•	* matches zero or more occurences of any character

•	? matches one occurence of any character

Note: Filter strings, whether containing wildcards or not, are not case sensitive.

Examples

Filter with wildcard	Matches string
ipx*	IPXCP IPXRIP IPXRouterManager IPXSAP
iptablesproto=??pdpt=13	syslog@netikus-router[kern.debug]: kernel: IPTABLES INPUT: IN=ppp0 OUT= MAC= SRC=65.35.223.155 DST=65.41.63.146 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=54221 DF PROTO=TCP SPT=1429 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
VMnet*	VMnetAdapter VMnetBridge VMnetDHCP VMnetuserif
rip	IPRIP2 IPXRIP

Important Notice when updating from versions prior to 2.20: A wildcard filter like "ipx" will only match a string like "IPXRouterManager" if wildcard support is not activated. If wildcard is activated then you will need to include the asterix "ipx*".