filter search command

This command displays search results that match the specified filter function.

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

extract

extractkv-search-command

table-search-command

Getting-started-with-search

Syntax

filter <filter-function>

In the preceding syntax, <filter-function> can be one of the functions described in the following table:

Short examples

Example 1: Filter search results containing numeric values for the field ResponseCode.

... | filter isNumeric(ResponseCode)

Example 2: Filter search results that do not contain the field Thread.

... | filter fieldexists(Thread)

Example 3: Filter search results matching the field RequestType with the value GET in a case-insensitive way.

... | filter match(RequestType, "GET")

Example 4: Filter search results matching the field RequestType with the value GET in a case-sensitive way.

... | filter matchcase(RequestType, "GET")

Example 5: Filter search results to display the field RequestType with the value matching the regular expression "....".

... | filter regex(RequestType, "....")

Example 6: Filter search results for the field ResponseCode with a value greater than 400.

... | filter greaterThan(ResponseCode, "400")

Example 7: Filter search results for the field ResponseCode with a value less than 400.

... | filter lessThan(ResponseCode, "400")

Long examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the filter command.

Sample data

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

Back to examples ↑

Sample indexed data

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

Back to examples ↑

isNumeric

In this example, you use the command to display search results containing numeric values for the field ResponseCode.

Command

... | filter isNumeric(ResponseCode)

Output

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=PUT

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

Back to examples ↑

fieldexists

In this example, you use the command to display search results containing the field invalidField.

If the specified field does not exist in the indexed data, no results are displayed.

Command

... | filter fieldexists(invalidField)

Output

No results found

Back to examples ↑

match

In this example, you use the command to display search results matching the field RequestType with the value GET.

Command

... | filter match(RequestType, "GET")

Output

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

Back to examples ↑

regex

In this example, you use the command to display search results if the value of the field RequestType matches the regular expression specified.

Command

... | filter regex(RequestType, "....")

Output

In the following output, only results in which the value of the field RequestType contains four characters are displayed according to the regular expression used in the command.

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST

Back to examples ↑

greaterThan

In this example, you use the command to display search results in which the value of the field ResponseCode is greater than the value 400.

Command

... | filter greaterThan(ResponseCode, "400")

Output

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

Back to examples ↑

lessThan

In this example, you use the command to display search results in which the value of the field ResponseCode is less than the value 400.

Command

... | filter lessThan(ResponseCode, "400")

Output

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

Back to examples ↑

Notes

  • The product supports only Java regular expressions that are compatible with Java Runtime Environment (JRE) version 1.8.
  • The isNumeric function works only for numeric values stored as a string at the time of data-pattern creation.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*