Filter logs

You can search in logs for the relevant information while building queries with the Filter command. Filtering allows you to reduce the number of records in a list by keeping only the records that match the specified condition.

See below for filtering options.

Filter by fields or sequences

You can filter by the partial or full value of a field, or by a sequence of fields.

In the query results table, select a partial or full value of a field, or a sequence of fields.
Right-click and select Filter for or Filter out.

If you select a sequence, only the distinct values will be filtered for or filtered out.

To select a sequence of fields, press shift while selecting the fields.

Example: Filter by trace ID value

You can filter by the trace ID value in the content field of the query results.

filter by trace id value

Filter by evidence

You can use stored evidence to search for particular elements in the logs and for later reporting, to have an overview of the evidence found.

There are two ways, from the Evidence collection section or from the query results header menu.

In the evidence collection

In the Evidence collection section, select Filter for Filter for or Filter out Filter out to filter the query by one or multiple strings or IPs in your evidence list. This adds the filter or filter out command to the query input.

Only fields that correspond to the data type are displayed. For example, for IP address evidence lists, only fields with the IPADDR data type are displayed.

filter from evidence collection

In the query results

In the query results header menu, select a header (for example, content), then select Filter for Filter for or Filter out Filter out to filter the query by preset or custom evidence lists. This adds the filter or filter out command to the query input.

Only evidence lists that correspond to the fields data type are displayed. For example, when you want to filter a column with an IPADDR data type, only the IP address evidence lists are displayed.

filter by evidence from the result table header

Filter by numerical operators

You can filter by numerical operators such as Less than, Less than or equal, Equal, Greater than or equal, Greater than.

In the query results table, select a field.
Right-click and select one of the operators.

filter by operators

Free-form filter

You can manually define the filter condition for one or multiple fields simultaneously and perform filtering on the data loaded to the results table.

When you define a free-form filter, a notification bar with the set filters is displayed.
Select to view the filters.

To apply all these in-place filters to a DQL query, select one of the options available (Add all to query or add individual items).

add to query button

Filter by timestamp

You can filter logs by timestamp. To save a filter and reuse it across the whole investigation, you can add the desired timestamp values to your custom timeframes. For details, see Define timeframes.

In the query results table, select the desired field values.
Right-click and select one of the operators.

Possible filter options are:

Equal to: Finds the timestamps that are equal to the selected value.
- Example:
```
| filter timestamp == toTimestamp("2024-01-04T18:45:11.918Z")
```
Earlier than: Finds the timestamps that are earlier than the selected value.
- Example:
```
| filter timestamp < toTimestamp("2024-01-04T18:45:11.918Z")
```
Later than: Finds the timestamps that are later than the selected value.
- Example:
```
| filter timestamp > toTimestamp("2024-01-04T18:45:11.918Z")
```
Filter by range, Filter out by range: Finds the min() and max() timestamp from the selected values and creates a filter.
- Example:
```
| filter timestamp >= toTimestamp("{_}MIN_TIME{_}") and timestamp <= toTimestamp("{_}MAX_TIME{_}")
```

Filter by values, Filter out by values: Adds the selected timestamps to the filter.

Example:

| filter in(timestamp, {toTimestamp("2024-01-04T19:01:49.419Z"), toTimestamp("2024-01-04T19:02:11.449Z")})