Values for filters

Filters are constructed through a prefixed logical sequence. You can use these values with these filters.

Filter Values
"field"

Matches a log field.
  • "id" — references the field by its integer ID.

    Example:

    {"type":"field", "id":14}
  • "name" — references the field by its string name.

    Example:

    {"type":"field", "name":"Action"}
"element"

Matches a specific element using its URI.

"href" specifies the URI for the element.

Example:

{"type":"element", "href":"elements/host/42"}
"constant"

Matches a constant value for a given field.

"value" specifies the numeric value for the constant.

Example:

{"type": "constant", "value":1}
"service"

Matches a service.

"value" specifies the service using one of the following formats depending on the protocol:

  • TCP/Port
  • UDP/Port
  • ICMP/Type/Code (/Code being optional)
  • ETH/FrameTypeID/ParamValue

You can optionally include one or more parameter values depending on the Ethernet FrameType:

FrameType ID FrameType Name Parameter Values
0 Ethernet 2 (DIX) MAC Type
1 Raw IPX (Novell) N/A
2 LLC SSAP, DSAP
3 SNAP Vendor, Type

Example:

{"type":"service","value":"TCP/80"}

For more information about Ethernet services, see the Forcepoint Next Generation Firewall Product Guide.
"ip"

Matches an IP address.

"value" specifies the IP address as a string.

Example:

{"type":"ip", "value":"127.0.0.1"}
"number"

Matches the specified numeric value.

"value" specifies the numeric value.

Example:

{"type":"number", "value":42}
"string"

Matches the specified string.

"value" specifies the string.

Example:

{"type":"string", "value":"mystring"}
"translated"

Uses the internal SMC filter format.

"value" specifies a string in the internal SMC filter format.

Example:

{"type":"translated", "value":"$Number == 42"}