Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > Use a Constant in Filters, nDepth Searches, or Rules on the LEM Console

Use a Constant in Filters, nDepth Searches, or Rules on the LEM Console

Table of contents
Created by Cory Farr, last modified by MindTouch on Jun 23, 2016

Views: 156 Votes: 2 Revisions: 36

Overview

This article describes how to use Constant in Filters, nDepth Searches, or Rules on the LEM Console.

Environment

  • All LEM Versions
  • LEM Web(or Air)Console

Detail

Here is a listing of the Constant Value options and a short explanation of what they do:

  • Text = Textual Search (a-z/A-Z and 0-9 characters (includes some special characters not used for search criteria))
  • Number = Numeric Search (0-9)
  • Time = Date/Time Search ([YYYY]- [MM]- [DD]    [HH]: [MM]: [SS] [ms])
  • Text Value = Defines this as a text value search, but works the same as the Text search option
  • Boolean = True or False value

 

The text constant is the default value option in most searches, this is because it can search for any value type; however, it is possible to specify the type of value being searched by selecting the type from the constants tab and dragging or typing that option into the right hand side of the search.


For example, to do a search using the Severity subfield from the Any Alert Event Group:

Constants  Text

  Number

  Time

  Text Value

  Boolean

 

Logical constants for this search would be the Text, Number, or Text Value searches, the other items would most likely not work properly, because of the value available in the Severity field.

 

For example, if you were to search by InsertionTime or DetectionTime, you should be able to use the Time constant, or if you had a True or False option in the field for the event, you should be able to use the Boolean constant, but otherwise these may not work as a value for the search and would not yield any results.

 

You can also search by the constant without having an Event or Event Group subfield used in the search. For example, you could do a search with just the text by dragging the text constant up to the search builder, or by using the " " in text input mode.

 

Search Builder

Search Builder

 

 

 

 

Text Input Mode

Text Input Mode


For the most part, the Text constants are used more than any other because they allow for the largest range of characters to be used in the search, but to define a Filter, nDepth Search, or Rule so that the conditions/correlations are more exact, it may be necessary to use the other constants.

 

Only the Text and Text Value constants can be dragged directly over to the Search Builder without having an available Event or Event Group subfield. When dragged over to the search builder they appear as follows:

 

Text

Text Search

 

 

 

 

 

 

 

Text Value

Text Value Search

 

 

 

 

 

 

 

The Text Search can be any textual value barring some special characters used within the search operation. Asterisks for example, are used in searching in text fields by allowing characters not included in the search. *myhostname* in a textual search will find any variation of the hostname on any line as long as it includes the text between the asterisks.

 

 

Last modified
20:24, 22 Jun 2016

Tags

Classifications

Public