Filtering queries for log data
Adding a filter to a query narrows down the records that the fetch command returns.
The easiest way to build a filter is to reference an existing filter element by its URI.
Example:
{"format":{"type":"raw"},"fetch":{"quantity":1},
"query":{"filter":{"type":"expression",
"href":"http://127.0.0.1:8082/7.2.1/elements/filter_expression/82"}}}
You can also build a filter without using an existing filter element.
For example, this query fetches all log entries in which the 'Action' field (14) is set to 'Allow' (1) or 'Permit' (11):
{"query": {"filter": {"type": "in", "left": {"type": "field", "id" : 14},
"right": [{"type": "constant", "value":1 },{"type": "constant", "value":11 }]}},
"fetch":{}}
This query fetches the 100 first log entries in which 'Originator' field (4) equals the ip address '127.0.6.44':
{"format":{"type":"string"},"query": {"type":"current","filter":
{"type":"in", "left":{"type":"field","id":4},"right":
[{"type":"ip","value":"127.0.6.44"}]}},"fetch":{"quantity":100}}