The Expression Editor allows you to build a filter using expressions. An expression is made up of a field, operator (parentheses or quotation marks), and a value. The filters are the same as the ones used in the Filter List.
The operators (parentheses and quotation marks) are:
| ! |
Logical NOT operator. |
| ( | |
| ) | |
| AND |
Logical operator. Used to combine two expressions |
| OR |
Logical operator. Use to choose one of two expressions |
| = |
Is equal to |
| != |
Is not equal to |
| < |
Is less than |
| <= |
Is less than or equal to |
| > |
Is greater than |
| >= |
Is greater than or equal to |
| LIKE |
Is similar to, matches some portion (Used for a partial match) |
| ILIKE |
Case insensitive partial match |
| IN |
Condition exists within the filter value (usually used when the filter combines two or more variables which must be compared in some way to create a trigger) |
|
Wildcard matching any character |
|
| NOT IN |
Opposite of IN. Condition does not exist within the filter value. |
You can use AND/OR or parentheses to create complex expressions.
The filter is selected from a drop-down menu while the operators (parentheses and quotation marks) are selected by clicking on them. The filter values vary depending on the filter just like in the Filter List.
You may type in part or all of the expression. If the expression is valid, a message Parsing successful. is displayed at the bottom of the window. If the expression is invalid, an error message is displayed.
Note the use of wild cards in the screen shot expression:
DeviceSSID LIKE ".*abc.*" AND DeviceManufacturer ILIKE ".*cisco" AND SensorMAC IN ("00:16:5d:.*")
When using wild cards with the operators LIKE, ILIKE, or IN, you must use ".*"
notation instead of "*" notation. If you use the "*" notation, the Action Rule will
fail.