To access the Filters panel, click
in the navigation panel on the left of the Sentinel Web interface. The Filters panel lists the default filters, filters you create, and the filters that other users have shared with you.The Filters panel includes the following:
Find Filters: Allows you to search the specified filter. Specify the filter name, description of the filter, or keywords to search for a filter.
Create: Launches the filter builder that allows you to specify the filter criteria.
My Filters: Lists the default filters and the filters you created.
Shared Filters: Lists the filters that other users have shared with you.
To view events based on filters, select the desired filter. The associated events are displayed in the search results panel.
The Filter Builder provides a list of parameters required to build search queries ranging from simple to complex. You can either select the parameters, or you can manually specify the search query.
For information on building search queries, see Section A.0, Search Query Syntax.
Figure 3-1 Filter Builder
The Filter Builder dialog box includes the following elements:
Table 3-1 Filter Builder Elements
Element |
Description |
---|---|
Query |
The behavior of this field depends on the filter creation method you select: If you select , this field displays the query formed by the parameters you select. You cannot modify or specify the filter query.If you select , this field is enabled. You can manually specify the filter query. |
Structured |
Allows you to select the various parameters to build the filter query. |
Free-form |
Allows you to manually specify the filter criteria rather than selecting from the available parameters. The search query is based on the standard Lucene syntax with some Sentinel extensions. For information on creating a filter query (search query), see Section A.0, Search Query Syntax. If this option is selected, the following elements are not displayed:
|
Exclude system events |
Select this option to exclude Sentinel internal events such as audit events and performance events from the search results. |
Event fields |
Displays a categorized list of possible event fields that can be added to the filter query. Each category can be expanded to display the set of fields in that category. If you know the name of the field you want, specify the name in the field. The event category list will adjust to present only matching fields.For more information on event fields, click located at the top right of the Sentinel Web interface. |
Query fields |
Lists a set of overlay queries that can be used on top of per-field searches. The following fields are displayed by default:
|
Field details |
The fields in this section vary depending on the event or query fields you select. For example:
|
Condition: AND OR |
Allows you to specify the AND or OR condition between the query fields. These options are available when you add additional event fields to the query fields. |
Cancel |
Allows you to cancel the filter creation process. |
Search |
Runs a search to test the filter before saving it. |