Skip to Content
Information
Limited support BMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for Ops 7.1.

Filtering in and filtering out events

You can use the FILTER feature to limit the events forwarded by BMC AMI Datastream to your SIEM or MSSP by specifying logical event filter criteria. You might want to limit the events sent to your SIEM for a variety of reasons:

  • Because only certain events were relevant to their particular security and compliance needs.
  • To limit network bandwidth utilization
  • To accommodate a SIEM or MSSP solution that limited, or charged by, the number of megabytes received.

Reducing the number of events formatted and forwarded also reduces CPU utilization for BMC AMI Datastream.

Warning

Important

BMC AMI Datastream also implements an extensive ability to select or limit the specific types of events forwarded, independent of FILTER and MATCH. Customers might choose to format and forward, such as, TSO logons but not logoffs, RACF failures and warnings (or only certain RACF failures and warnings) but not successes, or Started Task ABENDs but not normal job completions.

The FILTER feature permits a much higher degree of selectivity by allowing a customer to specify event selection based on nearly any combination of comparison logic on many different event fields.

You should, wherever feasible, use facilities such as The Select Statement and the SEVERITY(SUPPRESS) operand of the EVENTsIFCIDs or SUBTypes parameter of SMF statements, because the overhead for these facilities is lower than for filtering, and because records suppressed in this fashion do not consume QUEUE (see Determining-the-QUEUE64-size).

Filter in and filter out?

Some users think of filter in the sense of filter out.

Information
Examples
  • They might say we do not want to format and forward File Integrity events if the data set name begins with TEMP. Other users think of filter in the sense of filter in or select.
  • They might say we want to forward only TSO logons for user IDs that begin with SYS.

Accordingly, the FILTER feature supports the specification of either FILTER (filter out) or MATCH (filter in, or select) criteria. The syntax of the two keywords is identical, but of course they have opposite meanings. 

Warning

Important

FILTER and MATCH are usually functionally equivalent in that, such as, FILTER out every event for job names that begin with DEV is logically exactly equivalent to MATCH and select only events for job names that do not begin with DEV. They are not equivalent, however, in the case of missing fields (see Missing Fields).

FILTER and MATCH are mutually exclusive on a per statement basis and might not both be specified on any single statement.

This section provides information about the following topics: 

Related topics

Using

FILTER-and-MATCH-parameters


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Datastream for Ops 6.2