Chapter 10. Filtering

Table of Contents

10.1. Basic use of filters
10.2. Advanced use of filters
10.3. Terms available for use in filters

sFlowTrend-Pro allows the information displayed in a Top N network traffic or service chart (but not a counters chart) to be filtered. This allows you to focus on a subset of the data that may be of interest. For example, if you only wanted to look at web traffic, you could set a filter for only TCP port 80 traffic.

10.1. Basic use of filters

The filter is activated by clicking on the filter button (if you are currently viewing a counters chart, then the filter button is disabled). If the filter is active, then the button is shown without a red line, , and the filter bar is displayed. If it is inactive, the button is drawn with a red line thought it, and the filter bar removed. The current filter can be activated and deactivated by repeatedly clicking the button. This does not remove the text of the filter in place, so you can quickly see the effect of filtering and not filtering your data.

Filters are created by entering the filter into the filter bar. The filter can be specified just by typing the appropriate expressions into the filter bar, or to make it easier you can use the filter builder.

To bring up the filter builder, click the Edit button at the right-hand end of the filter bar. The filter builder bar will appear below the filter bar.

In the filter builder, you can select the term that you want to filter on, a relational operator (eg "==" for equality), and a value. For example, to filter on web traffic, you would select tcpServerPort for the filter term, the equality operator, and enter 80 for the value. Then, clicking on the Add button adds this expression to the filter.

You can combine many different expressions together, using logical operators (|| for or, && for and). For each expression you want to add to the filter, click the && or || button as appropriate (you can also use parenthesis to ensure the correct order of evaluation), then select the expression you want and click Add.

[Note] Note

How you type the value to compare against depends on what type of term you are comparing. For entries such as TCP ports, which are integers, just type the number. For MAC or IP addresses, the value must be surrounded by quotes: for example, ipServer == "". Addresses and ports must be entered in their numeric form. It is not possible currently to use a DNS name in the filter.

When the filter is complete, apply it by clicking the OK button at the right of the filter bar. The chart will be redrawn, using only data that matches the filter. The current filter is displayed at the top of the chart, to remind you how the data was filtered. If there was an error in the filter, then instead of the chart an error message will be displayed. Sometimes, it can be difficult to understand the error messages. Common errors are omitting quotes around an address, or using && or || without matching expressions.

When using the filter builder, you will notice that as the filter is constructed, it is entered into the filter bar. It is also possible to directly type into the filter bar. See Section 10.2, “Advanced use of filters” for more information on the format of filters. For a list of the available items to filter on, and their meanings, see Section 10.3, “Terms available for use in filters”.