Filtering event data
Article ID: 178671
Updated On:
Products
Issue/Introduction
Resolution
Filtering event data
You can filter event data in these ways:
Filter on an individual cell in the event details table.
You can filter on a cell that has data in it, and Information Manager displays only the rows that have the same value in that column. You can also filter on an empty cell, and Information Manager displays only the rows in which that column is not empty.
Use the advanced filter option to select multiple filtering conditions in one operation.
Filter based on unique column value. This filter creates a snapshot of the events that were returned for the query based on the column that you chose for the filter. For example, in the query results for an All Events query, if you right-click any value in the Product column and choose Filter on unique column value, Information Manager creates a condensed view of the results that shows which product names occur in that column. So, if you had 5000 events returned that only involved 3 products, filtering on unique column value in the Products column creates a snapshot that shows that those 3 products were the only products that are returned in the results.
An additional filtering method is a sort of hybrid of an advanced filter and filtering on a cel. It is called filtering manually on a cell, and it allows you to create a more complex query than the simple cell filtering method. But it presets the first filtering condition for you.
Right-click in the cell that you want use as the filter condition.
For example, if you want the table to display only level 3 events, right-click in a cell with severity level 3 in the Severity ID column.
Click Filter on cell. If you right-clicked in an empty cell, click Filter where cell is not empty.
If you clicked Filter on cell, a new table displays only events that have the same value as the cell where you clicked, for example, severity level 3. The table has a tab at the top that is labeled Untitled.
If you clicked Filter where cell is not empty, a new table displays all rows in which this cell is not empty.
Do any of the following actions:
To save the displayed view as a query, click the Save View icon above the table. Then type the query name and click OK.
If you are viewing event data from a local archive, you will not be able to save the view as a query. Saving a query works only when you are viewing event data from the live archive on the Information Manager appliance.
To filter the displayed data even further, repeat steps 1 and 2, or use the advanced filter option.
To delete the table, click the red X in the right corner above the table.
If no events meet the filter criteria, Information Manager displays a blank table. If a very large number of events meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel.
To filter manually on a table cell
Right-click in a cell that you want use as a filter condition.
For example, if you want the table to display only level 3 events, right-click in a cell with severity level 3 in the Severity ID column.
Click Manually filter on cell. If you right-clicked in an empty cell, click Manually filter where cell is not empty.
The Event Filter dialog box appears. One of the following happens:
If you clicked Manually filter on cell, the first condition in the Filter criteria area contains the value of the cell in which you clicked. In this example, the condition would display Severity ID = 3.
If you clicked Manually filter where cell is not empty, the Filter criteria area displays the column name with the condition ≠ null.
To add more filter conditions, click the + icon (the plus symbol).
Click the first drop-down box, and then click an event field that you want to use as a filter.
Click the drop-down box to the right of the event field, and then click an operator, for example, the equals (=) symbol.
Click the drop-down box at the far right, and then click or type a value.
Do any of the following actions:
To add more conditions, repeat steps 3 through 6. Use the AND and OR logical operators as needed.
The default operator is AND. To change it to OR, press Ctrl and click on the desired boxes, then click OR.
To remove a field, click on the row and then click the – icon (the minus sign).
To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup.
Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria.
When you finish creating the query, click OK.
A new table displays only events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled.
Do any of the following actions:
To save the displayed view as a query, click the Save View icon above the table. Then type the query name and click OK.
If you are viewing event data from a local archive, you will not be able to save the view as a query. Saving a query works only when you are viewing event data from the live archive on the Information Manager appliance.
To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell.
To delete the table, click the X in the right corner above the tab.
If no events meet the filter criteria, Information Manager displays a blank table. If there is a very large number of events that meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel.
To filter with the advanced filter option
In the Event Filter dialog box, select the desired time range.
In the Filter criteria area, click the + icon (the plus symbol).
Click the first drop-down box, and then click an event field that you want to use as a filter.
Click the drop-down box to the right of the event field, and then click an operator, for example the equals (=) symbol.
Click the drop-down box at the far right, and then click or type a value.
Do any of the following actions:
To add more conditions, repeat steps 2 through 6. Use the AND and OR logical operators as needed.
The default operator is AND. To change it to OR, press Ctrl and click on the desired boxes, then click OR.
To remove a field, click on the row and then click the – icon (the minus sign).
To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup.
Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria.
When you finish creating the query, click OK.
A new table displays only events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled.
Do any of the following actions:
To save the displayed view as a query, click the Save View icon above the table. Then type the query name and click OK.
If you are viewing event data from a local archive, you will not be able to save the view as a query. Saving a query works only when you are viewing event data from the live archive on the Information Manager appliance.
To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell.
To delete the table, click the red X in the right corner above the table.
If no events meet the filter criteria, Information Manager displays a blank table. If there is a very large number of events that meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel.
To filter within the results of a query
In the Event Filter dialog box, select the desired time range.
In the Filter criteria area, on the Filter Within Results tab, create the filter criteria using the table provided.
To filter on unique column values
Feedback
