Skip to main content

Filter Expression Examples

Now, let's try a few examples.

important

First, with Manage active in Stream's top navigation, Processing from the submenu and click Pipelines.

From the resulting Pipelines page, locate and click the right pane's Capture Data button. This will bring up the Capture Sample Data modal, which looks like this: Capture Window

Now, try each of the expressions below. For each example:

  1. Copy the expression reference in the example..
  2. Paste it into the modal's Filter Expression field, replacing any default or previous expression.
  3. Click the modal's Capture... button, and in the resulting drop-down, accept the defaults by clicking Start. The results will show up in the Capture Sample Data modal's right pane.
  4. Scroll through the results, to see how the results match up with the expression we specified.
  5. Repeat the above four steps for the next expression. There's no need to press the Cancel, Create... or Save... buttons (at the modal's bottom) between examples.

Simple Expressions

This example matches every event whose sourcetype field has a value of pan:traffic. This will capture all of the firewall events streaming through the system.

sourcetype==="pan:traffic"

This example will match any event coming through that does NOT have a sourcetype field. This will capture syslog data that is streaming through the system.

!sourcetype

Compound Expressions

This example matches every event that contains both a sourcetype field with the value pan:traffic AND a src_zone field with the value trusted. This will effectively limit the firewall events to just ones that originate in the "trusted" zone.

sourcetype==="pan:traffic" && src_zone==="trusted"

This example matches every event whose sourcetype field has the value pan:traffic, AND either its src_zone or dest_zone field has the value untrusted. This will yield traffic events which are going between the internal and external interfaces.

sourcetype==="pan:traffic" && (src_zone==="untrusted" || dest_zone==="untrusted")

This example matches every event that has the sourcetype field set to pan:traffic, but does NOT have a rule_name field. This example will only return a few records.

sourcetype==="pan:traffic" && !rule_name

Remember that you can use dot notation for nested data, like the GeoIP lookups in our firewall data. This example matches any pan:traffic firewall events that have a destination IP address that is in the U.S.:

sourcetype==='pan:traffic' && dest_geoip.country.iso_code === 'US'

Next, we're going to take a look at using built-in JavaScript methods and helper functions to provide more targeted filters...