Filters in unified events

The Unified Events table displays firewall events from the past hour. Use these steps to filter and narrow the view for more granular analysis of your network traffic.

Filters help you quickly access critical information. For example, if you want to monitor application access for specific users, you can apply search criteria to isolate relevant firewall logs. The event viewer displays only the entries that match your criteria.

You can use both inclusion and exclusion criteria to refine your search results effectively.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Enter the filter criteria:

To manually enter the filter criteria:
1. Enter filter criteria in the search field, or select a filter from the drop-down list.
2. Enter the value for the selected filter criteria. Suggestions will appear in the drop-down list as you type.

To pick the filter criteria from the table, click the dots in a cell and choose an option to include or exclude that value from your filter criteria.

Tip	Use the `Ctrl+click` (Windows) or `Command-click` (Mac) key to quickly add an inclusion filter criteria. Use the `Alt+click` (Windows) or `Option-click` (Mac) key to quickly add an exclusion filter criteria.

Include operators (such as <, >, !) in the value field, preceding the value. For example, enter !Allow in the Action field to find all events with an action other than Allow.

Step 3

Perform the search.

Tip	You can use the `Ctrl+Enter` (Windows) or `Command-Enter` (Mac) key command to initiate a search.

Events in the unified events table are not aggregated when the displayed columns all hold identical values. Every event matching your filter criteria is listed individually.

The unified events table displays filtered results based on your criteria, showing only the events that match your inclusion and exclusion filters for more targeted analysis.

What to do next

To save a custom filter, see Save a search in unified events topic.