Filters in Unified Events

The unified events table initially displays multiple types of firewall events from the past hour. You can filter the default view of unified events for a more granular contextual picture of activity on your network. Filters support exclusion as well as inclusion filter criteria.

Filters help you to provide quick access to critical information. For example, if you are a firewall administrator and you want to allow or deny specific application access to some users, you can set user search criteria to scan through the firewall logs. The event viewer displays event logs that match the search criteria.

Procedure

Step 1

Choose Analysis > Unified Events.

Step 2

Enter the filter criteria:

To manually enter the filter criteria, type the exact criteria in the search text field, or select the criteria from the drop-down list. Then, provide the filter criteria value. While typing in the values, you are prompted with suggestions in the drop-down list whenever possible.

Click the dots in a cell for an event in the table and choose an option to include or exclude that value from your filter criteria.

Tip	Use the Ctrl+click (Windows) or Command-click (Mac) key to quickly add an inclusion filter criteria. Use the Alt+click (Windows) or Option-click (Mac) key to quickly add an exclusion filter criteria.

Include operators (such as <, >, !, and so on) in the value field, preceding the value. For example, enter !Allow in the Action field to find all events with an action other than Allow.

Step 3

Perform the search.

Tip	You can use the Ctrl+Enter (Windows) or Command-Enter (Mac) key command to initiate a search.

Events in the unified events table are not aggregated when the displayed columns all hold identical values. Every event matching your filter criteria is listed individually.

What to do next

To save a custom filter, see Save a Search in Unified Events topic.