Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Filter Configuration Tables

Filter Configuration Tables

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 14, 2016

Views: 4 Votes: 0 Revisions: 4

The following table is for use with Filter Creation. It lists the possible filter combinations that you can create in the Conditions box for each type of field.

  • The Left field column lists each type of field you can drag into the Conditions box's left field.
  • The Right field column lists the corresponding field types that you can drag into the Conditions box's right field.
  • The Operators columns list the types of comparisons you can make between left and right fields.
 

Operators

 

Left field

exists

in

not
in

=

Not
equal

>

>=

<

<=

Right field

event

X

                 

event group

X                  

text event field

      X X        

text event field

        X X        

text event group field

        X X        

text constant

    X X            

directory service group

    X X            

subscription group

    X X            

connector profile

    X X            

user-defined group

time event field

          X X X X

time event field

            X X X X

time event group field

            X X X X

time constant

    X X            

time of day

number event field

      X X X X X X

number event field

        X X X X X X

number event field group

        X X X X X X

number constant

text event group field

      X X        

text event field

        X X        

text event group field

        X X        

text constant

    X X            

directory service group

    X X            

subscription group

    X X            

connector profile

    X X            

user-defined group

time event group field

          X X X X

time event field

            X X X X

time event group field

            X X X X

time constant

    X X            

time of day

number event group field

      X X X X X X

number event field

        X X X X X X

number event group field

        X X X X X X

number constant

text constant

  X X            

directory service group

    X X            

connector profile

    X X            

user-defined group

number constant

  X X            

directory service group

    X X            

connector profile

    X X            

user-defined group

time constant

  X X            

directory service group

    X X            

connector profile

    X X            

user-defined group

Compare values with operators

When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to rule's or filter's conditions.

For example, an operator might state whether or not an event should be contained within or outside of an Time of Day Set; or it may state whether or not an event applies to a particular Connector Profile.

The operators that appear between two elements vary, depending on your selections. The form only allows comparisons that are logical for the elements you have selected. For more information on which operators are available for a particular field, see the following reference tables:

Each of these tables provides a matrix of valid operators for comparing an event variable to other elements.

Selecta new operator

  • Click an operator to cycle through the various operators that are acceptable for the current condition.
  • Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use.

Operator tips

The following tips apply to operators:

  • When comparing two numeric values, the full range of mathematical operator options is available.
  • An IP address is treated as a string (or text) value. Therefore, operators are limited to equal and not equal.
  • DateTime fields have a default value of > Time Now, which means, greater than the current date and time.

Table of operators

The following table describes each operator and how it should be interpreted when used as a filter condition.

Operator Meaning Description

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-Exists.png

Exists

Use these operators to specify if a particular event or Event Group exists. Read conditions with these operators as follows: "This [event/Event Group] must [exist/not exist]."

"Not exist" is only used in rules.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-DoesNotExist.png

Not exist

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-ContainedIn.png

is in

Use these operators when comparing event fields with groups (such as Event Groups, User-Defined Groups, etc.). They determine the filter's behavior, based on whether or not the field is contained a specific Group.

Read conditions with these operators as follows:

  • This [event field] must be in this [Group].
  • This [event field] must not be in this [Group].

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-NotContainedIn.png

is not in

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-Equal.png

Equals

Read conditions with these operators as follows:

  • This [event variable] must equal this [list item*].
  • This [event variable] must not equal this [list item*].

Text comparisons (for IP addresses, host names, etc.) are limited to "equal" or "not equal" operators.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-NotEqual.png

Does not equal

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-GreaterThan.png

Greater than

Read conditions with these operators as follows:

  • This [event variable] must be greater than this [list item*].
  • This [event variable] must be greater than or equal to this [list item*].
  • This [event variable] must be less than this [list item*].
  • This [event variable] must be less than or equal to this [list item*].

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-GreaterThanEqualTo.png

Greater than OR equal to

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-LessThan.png

Less than

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operators-LessThanEqualTo.png

Less than OR
equal to

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-And.png

AND

Conditions and groups of conditions are subject to AND and OR comparisons.

  • The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups.
  • The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct events, you must use the OR symbol.

If you click an AND operator, it changes to an OR, and vice versa.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/080/Operator-Or.png

OR

*A list item can be another event variable, such as an event field. For example, you may want to compare that an event's source is equal to a destination. In this case, you would compare two event fields, such as SourceMachine = DestinationMachine.

Examples of AND and OR conditions

Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations.

Example Description
If x AND y AND z occur, report the event. If all of the conditions apply, report the event.
If x OR y OR z occurs, report the event. If any of the conditions apply, report the event.
If (x AND y) OR z occurs, report the event.

If conditions x and y occur, or if condition z occurs, report the event.

If (a AND b) OR (x AND y) OR (z), occurs, report the event.

In this case, you would create three groups, two nested within the third:

  • The nested groups are configured as (a AND b) and
    (x AND y), joined with an OR.
  • The outer group is configured as (z), surrounding the nested groups with an OR.
"Condition1" AND
"Condition2 AND Condition3" OR
"Condition4 AND Condition5."
In this example, the filter reports the event when it meets the following conditions:
Condition1 and Condition2 and Condition3, or
Condition1 and Condition4 and Condition5.

Configure event filter notifications

In Filter Creation, the Notifications box lets you to define how the Console is to notify a user when the filter receives an event. Each notification option instructs the Console to announce the event in a particular way. You can have the filter display a pop-up message, display the event in bold text, play a warning sound, have the filter name blink, or configure a combination of these methods.

Selecting the notification method

  1. In the list pane, click the Notifications list.
  2. Drag one or more notification option from the Notifications list to the Notifications box.
  3. Configure each option, as described in the Notifications table, below.

Notifications table

The following table lists the various notification methods that can be employed to notify a user that a filter's event threshold has been met.

  • The Notification column lists each options that is available in the list pane's Notifications list. They are alphabetized for easy reference.
  • The Description column briefly states how each option behaves.
  • The Fields column explains the data fields that can be configured for each option.
Notification Description Fields

Display Popup Message

This option causes the filter to display the Popup Notification form when receiving an event.

This form states the name of the filter that is receiving the events, and that the filter's event threshold has been met.

From the form, the message recipient can choose to view the filter, to turn off the pop-up form for that filter, or to turn off the pop-up form for all filters.

Notify on x events received

Type the number of events the filter must receive before displaying the Popup Notification form.

Repeat on x events received

If you want the pop-up form to appear again after receiving repeated events, select the Repeat on check box.

Then in the events received box, type how many more events the filter should receive before issuing the pop-up form another time.

Display New Events As Unread

This option displays new events in the filter with bold text.

They remain bold until you acknowledge them by clicking them or by opening them in the Event Explorer.

Not applicable

Enable Blinking Filter Name

This option causes the filter name to blink in the Filters pane.

Color

Click the Color button to open the Blink Color form. Choose a color from one of the three color palettes. Then click OK. The filter name will blink in this color.

Time (ms)

Move the slider to select the amount of time between blinks, in milliseconds.

Notify on x events received

Type the number of events the filter must receive before the filter tab begins blinking.

Repeat on x events received

The filter tab stops blinking once you acknowledge it by selecting it. If you want the tab to begin blinking again after receiving repeated events, select the Repeat on check box. Then in the events received box, type how many more events the filter should receive before it starts blinking again.

Play Sound

This option causes the filter to play a sound upon receiving an event.

Sound/Browse

To select a sound, click the Browse button. Then use the Open form to locate and select the sound file that you want to use. Sound files must be of the .wav file type.

When you are done, the name of the file should appear in the Sound box. To test the sound, click the "play" button.

Notify on x events received

Type the number of events the filter must receive before displaying the sound.

Repeat on x events received

If you want the sound to play again after receiving repeated events, select the Repeat on check box.

Then in the events received box, type how many more events the filter should receive before the filter plays the sound another time.

 

Last modified
07:44, 14 Sep 2016

Tags

Classifications

Public