How to add filters on Real-Time Events
Real-Time Events allows you to filter your analysis with the specific variables and type of data you want to receive.
Once you understand Real-Time Events logs and decide the variables you want to query, you can use the filter and query for more accurate results.
If you run a query with a blank Filter by field, you’ll get all existing records for the variables of the selected data source available during the selected time filter.
The Filter by field uses SQL language to query results. Your search must be in one of two formats:
key='value'
- Exact match, where:
key: one of the variables from the data source you’re querying for.=: means the search must query for the exact value passed.value: a value of either string or integer format.
key like '%value%'
- Similar value, where:
key: one of the variables from the data source you’re querying for.like: means the search must query for a similar value to the one passed.%value%: a value of either string or integer format surrounded.
In the second format, you can use with value:
%value%: filters for values that contain the entire specified value.%value: filters for values that end with the specified value.value%: filters for values that begin with the specified value.
You can also search for more complex queries with the AND, OR, and NOT notations to combine the fields.
As you’re querying for a variable and a value, it’s important to undertsand the available variables and the type of values it can accept.
Some examples of SQL queries:
| Variable | SQL query |
|---|---|
| $status | status='404' |
| $status + $scheme | status='200' AND scheme='https' |
| $endpoint_type | endpoint_type='datadog' |
| $geoloc_country_name | geoloc_country_name='Brazil' |
| $message_content | message_content like '%unavailable%' |
| $message_content | message_content like '%available%' |
Contributors
