Use this field to filter all incoming flows as they are processed by the flow
collector. Flows not matching the filter are discarded and not maintained in
memory on the server. If you add a filter here, the current flows stored in the
cache are trimmed to only matching flows.
Use this option if you want to use flow collection to look for specific results,
and unrelated flows do not need to be processed. For example, only
processing flows pertaining to a particular subnet."
Enter search criteria to filter table. One or more filters may be entered, separated by semi-colons. For each filter, individual components of that filter are comma separated. Specific flow components must be specified with a key. Keys are not case sensitive.
Supported keys: CLIENT, SERVER, SERVERPORT, PROTO, SENSOR, IF, INIF, OUTIF, APP, APPGROUP, META, LOCATION, DEVFAMILY, USER, PROFILE
*Note: CLIENT/SERVER may be an IP (CIDR Mask Supported) or host, and may contain a port (X.X.X.X:P)
Supported modifiers: duration, size, packets, bps, with a comparator of: >, >=, =, <, or <=
Supported keywords: Include/Exclude (Include is implied)
Fuzzy filters and partial hostnames are supported*ie "Doe" will return flows w/ hostnames "JonDoe", "JillDoe", etc
Additionally flow metadata can be searched by using a colon as the key-value delimiter.
Everything is case insensitive.
A Fuzzy filter is a string without a keyword. It can partially match any value in any column. E.g. "Google" would match source or destination host name "www.google.com";, or application names "Google Mail" or "Google News".
Examples (single filter):
1) "client=JonDoe, server=10.20.77.33, snmp" –> SNMP Flows from host JonDoe to 10.20.77.33
2) "JonDoe, SENSOR=10.20.77.33, snmp" –> SNMP Flows from netflow sensor 10.20.77.33 To/From JonDoe
3) "SERVERPORT=161, duration>1000, exclude" –> All flows EXCEPT SNMP(161) flows that lasted more than 1 second
4) "snmp" –> All snmp traffic
5) "10.20.77.33:161" –> flows where server/serverport = 10.20.77.33:161
6) "JonDoe:161" –> snmp flows to or from JonDoe
7) app=DNS –> All flows identified as belonging to the application "DNS"
😎 app=89 –> All flows identified as belonging to the application whose ID is 89
9) appgroup=Social Networking –> All flows identified as belonging to the application group "Social Networking"
10) user=none,exclude –> All flows with an identified user
11) inif=11002 –> All flows where input interface = 11002
12) meta=snmp–> All flows with metadata containing the text SNMP
13) meta=Content-Type:application/json;> All flows with an application type of JSON
Example (multi filter):
1) "SERVERPORT=161, duration>1000, exclude; CLIENT=JonDoe; CLIENT=JillDoe" –> All flows from JonDoe and JillDoe except SNMP flows lasting more than 1 sec
If the filter fails to find a match, no data is displayed
Contact Us:Sam PirokCommunity@extremenetworks.com