Apply filters to table data to isolate or exclude specified field values. The results are returned immediately and displayed in chronological order and at the same time. The timeline is updated to match the query.
Using the Operations Over Columns window
You can use this window to specify the arguments needed for the operation following the procedure explained below:
- Select the Filter icon in the query window toolbar. The Operations Over Columns window appears with the Filter option selected.
- Choose the required filter type in the Operation drop-down list.
- Select the arguments of the filter. Depending on the filter type selected, you will be prompted to select a set of specific arguments.
You can select columns or enter free text by clicking the pencil icon , if the operation requires it. For example, you might filter for URLs that contain the string bing. Then choose normal to include the filtered events, or select negated to exclude the filtered events.
- Click Filter data when you're done. The data table will only show those events that meet the conditions of the filter applied.
Case sensitivity selector
Some operations have a case sensitive and a case insensitive version, for example, Contains - case insensitive (weakhas) and Contains (has, ->). Use the Case sensitivity buttons in the window to display only the sensitive or insensitive versions of these operations, or choose all to show both versions. Operations that don't have a sensitive and insensitive version will be visible regardless of the option selected.
Using column header list of values
Select the arrow icon that appears when hovering over a column header to see the list of distinct values in that column, then click a value name. The Operations over columns window will be open in the Filter tab, and the Equal (eq, =) operation selected. The column and value selected will be automatically added as arguments of the filter.
This filter option is not available for unnamed columns. These are columns that are added to the right of your table from using a literal or an expression in your query. For example in the below code, the statement: "select responseTime*2", creates the unnamed column responseTime*2 at the right of the table. You will not be able to filter this column.
from siem.logtrust.web.activity select responseTime*2
from siem.logtrust.web.activity select 5 select "hello"
Using cell value
Alternatively, you can use a cell's content as filtering criteria to quickly include all the arguments needed for the operation. If you place the cursor over a cell on the data table and press ENTER, the Operations over columns window will be open with the Filter tab and the Equal (eq, =) operation selected. The arguments will be automatically filled with the values of the cell and its column (Value → Column, Is equal to → Cell).
Using cell value to filter in a new tab
You can also use a cell's content as filtering criteria and show the result in a different browser tab. Right-click on a cell and select Filter in another tab by (...) and a new browser tab will open to display the result of this filter operation without losing the previous search.
These separate searches function as independent searches, so modifying or closing one does not affect the other. This way we experience a higher degree of versatility in our workflow getting the ability to work with different variables and outcomes separately, and additionally, we get the ability to perform the filter operation with just two clicks.
Watch the following video for a demonstration of this feature.