This unit is a Processor unit.
This unit filters inbound events based on a true/false condition set in the unit properties.
An inbound event is received through the in port. Then, the event is evaluated against the unit's condition. If the result is true, the event is sent to the out output port. If the result is false, the event is sent to the discarded output port. If the evaluation produces an error, the event is sent to the error port.
After dragging this unit into the Flow canvas, double-click it to access its configuration options. The following table describes the configuration options of this unit:
|General||Name||Enter a name for the unit. It must start with a letter, and cannot contain spaces. Only letters, numbers, and underscores are allowed.|
|Predicate||The condition you wish to evaluate. Open the expression editor to type an expression, stating the input fields and the condition you wish to apply to each.|
|in||All events enter through this port.|
|out||This port outputs only those events for which the unit's condition is "true".|
|discarded||This port outputs only those events for which the unit's condition is "false".|
|error||This port outputs events that generated an error when evaluated against the condition. Standard error fields (error, exception) are added to the output events.|
In this example, we want to send events related to a single user in our domain from the siem.logtrust.web.activity table to a new my.app table.
To do it, we will use a Devo source unit to get events from the siem.logtrust.web.activity table. Then, we will link it to a Filter unit that will only send events containing the email of the required user. Finally, we will link its out output port to a Devo sink unit to send the filtered events to a my.app table.
In the Filter unit settings, we add the following predicate to remove null values in the username column and filter only events related to a specific user mail:
username != null && username.equals("user_mail")
You can try this flow by downloading this JSON file and uploading it to your domain using the Import option.