Fortinet black logo

New Features

Home FortiAnalyzer 7.0.0 New Features

Filter syntax enhancement 7.0.1

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 6dd8af04-513d-11eb-b9ad-00505692583a:201745
Download PDF

Filter syntax enhancement 7.0.1

Enhanced log filter syntax can be applied to the Log Viewer or Event Handler to generate a consistent result.

To use the enhanced log filter syntax:
  1. Before this enhancement, event handlers and Log View used a different filter syntax in the generic text filter.
    For example, filtering "attack not equal to botnet" and "logid equal to 0000000013" in Log View would use the following syntax: (-attack=*botnet* and logid=0000000013). See the example below.

    In order to filter the same content for event handlers, the generic text filter would use the following syntax: (attack!~botnet and logid==0000000013). See the example below.
    Some filter syntax would work well in Log View but not for event handlers. For example: Filters (filter<value, filter>value and -filter=value etc.) may work well in Log View, but not for event handlers.
  2. After this enhancement, FortiAnalyzer provide a unified syntax for Log View and event handlers, meaning users can easily use the same filter syntax for both Log View and event handlers. Additionally, new filter syntax support has been added for both Log View and event handlers.
    Below is a comparison of supported syntax filters before and after this enhancement, including new filter syntax support:

    f: filter, v: value

    		 Before Enhancement After Enhancement
    Filter sample logview logview - fabric logbrowse event-handler logview logview - fabric logbrowse event-handler -
    f=v user=test
    f!=v user!=test X
    not f=v not user=test X
    f='', f="", f="''" user='', user="", user="''"
    f!='', f!="", f!="''" user!='', user!="", user!="''" X
    f isnull user isnull X X X X
    f isnotnull user isnotnull X X X X
    f like 'v%' user like 'test%' X X X X
    f like '__v%' user like '__st%' X X X X
    f="v*" user="test*"
    f!="v*" user!="test*" X
    flt and flt user=test and service=http
    flt && flt user=test && service=http
    flt or flt user=test or service=http
    flt || flt user=test || service=http X
    -f=v -user="test" X
    f~v user~"test" X X
    f!~v user!~"test" X X
    f~"v*" user~"test*" X X
    f!~"v*" user!~"test*" X X
    f~"v.*" user~"test.*" X X Does not work for String
    f!~"v.*" user!~"test.*" X X Does not work for String
    f>n, f<n countips>1 countips<1
    f<=n, f>=n countips<=1 countips>=1 X
    f<>v, f<>n user<>"test", countips<>1 X X
Previous
Next

Filter syntax enhancement 7.0.1

Enhanced log filter syntax can be applied to the Log Viewer or Event Handler to generate a consistent result.

To use the enhanced log filter syntax:
  1. Before this enhancement, event handlers and Log View used a different filter syntax in the generic text filter.
    For example, filtering "attack not equal to botnet" and "logid equal to 0000000013" in Log View would use the following syntax: (-attack=*botnet* and logid=0000000013). See the example below.

    In order to filter the same content for event handlers, the generic text filter would use the following syntax: (attack!~botnet and logid==0000000013). See the example below.
    Some filter syntax would work well in Log View but not for event handlers. For example: Filters (filter<value, filter>value and -filter=value etc.) may work well in Log View, but not for event handlers.
  2. After this enhancement, FortiAnalyzer provide a unified syntax for Log View and event handlers, meaning users can easily use the same filter syntax for both Log View and event handlers. Additionally, new filter syntax support has been added for both Log View and event handlers.
    Below is a comparison of supported syntax filters before and after this enhancement, including new filter syntax support:

    f: filter, v: value

    		 Before Enhancement After Enhancement
    Filter sample logview logview - fabric logbrowse event-handler logview logview - fabric logbrowse event-handler -
    f=v user=test
    f!=v user!=test X
    not f=v not user=test X
    f='', f="", f="''" user='', user="", user="''"
    f!='', f!="", f!="''" user!='', user!="", user!="''" X
    f isnull user isnull X X X X
    f isnotnull user isnotnull X X X X
    f like 'v%' user like 'test%' X X X X
    f like '__v%' user like '__st%' X X X X
    f="v*" user="test*"
    f!="v*" user!="test*" X
    flt and flt user=test and service=http
    flt && flt user=test && service=http
    flt or flt user=test or service=http
    flt || flt user=test || service=http X
    -f=v -user="test" X
    f~v user~"test" X X
    f!~v user!~"test" X X
    f~"v*" user~"test*" X X
    f!~"v*" user!~"test*" X X
    f~"v.*" user~"test.*" X X Does not work for String
    f!~"v.*" user!~"test.*" X X Does not work for String
    f>n, f<n countips>1 countips<1
    f<=n, f>=n countips<=1 countips>=1 X
    f<>v, f<>n user<>"test", countips<>1 X X
Previous
Next