Apply filters to table data to isolate or exclude specified field values. The results are returned immediately and displayed in chronological order and at the same time, the timeline is updated to match the query. Select Filter from the query toolbar. The Operations Over Columns window appears with the Filter data option selected.
- Select the Operation type. Choose normal to include the filtered events, or select negated to exclude the filtered events.
- Click New Argument to add the argument (or arguments) you will use for the filter. You can also enter free text as a filter argument as is sometimes required for an operation. For example, you might filter for URLs that contain the string, bing.
If you select a cell from the data table and press ENTER, the Operations over columns window will be open. The cell selected and the column it belongs to will be automatically added as arguments.
Example: Filtering to remove null value events
A common use case for filtering is to remove events with null or 0 values. Here's an example:
- Go to Data search and run the following search: web.apache.acces-lt.
- Click to highlight the Coordinates column, then select Filter from the toolbar.
- Select is not null as the operation.
- Select Filter Data. The result contains all events where the coordinates field in not null.
Example: Filtering by IP type
Another use case is to identify the private or public IP sources. Here's an example:
- Go to Data search and run the following search: firewall.all.traffic.
- Click to highlight the SrcIp column, then select Filter from the table toolbar.
- Select Is Private IPv4 as the operation.
- Select Filter Data. The result contains all the private IP sources.
See Filtering operations for more information on the operations you can use when filtering the data.