Reference: Filtering options

Use filters to modify the data that you are getting from your connection source before it is sent to the destination. If you do not define a filter, all data from the source is sent to the destination.

You can filter data by regular expressions, new items, or numeric operators.

Filters are linked to specific connections. You can create a filter when you create a connection, or you can edit the existing connection to add or update a filter. You can define multiple filters per connection. If you define multiple filters, a piece of data must meet the conditions in all of the filters to get passed on to the destination.

For example, when you use the CPU utilization over 75% saved question, you can specify a numeric filter that has a condition for CPU consumption greater than 80%, and a regular expression filter for computer name that starts with srv*. Both these filter conditions must be met for the data in a row to be passed to the destination.

New Items

With the New Items filter, only new data is sent to the destination. When you configure this filter, you set a learning period value. During this period, no data is sent to the destination while a set of baseline data is established. A hash of the data is stored in a database that tracks the baseline.

All the values in each row of data are considered when the data is evaluated for updates. For example, your connection source might be a saved question that has four columns: computer name, running processes, MD5 hash of running process, and logged in user. A change to any of the values in those columns causes the row to be flagged as new. All the data in the row is sent to the connection destination.

Selecting a subset of columns to index adjusts which columns are evaluated when determining if a new result should be added to the output of the next connection run.

Only successful connections update the baseline data. If a connection fails, the baseline data remains the same as before the failed connection attempt started, to prevent the loss of new data.

If you want to clear the baseline data or restart the learning period, see Clear New Items cache.

Continue Learning options

After the learning period, only new or changed data is sent through to the destination. The default behavior is for the baseline data to continue to be updated with new data after the learning period.

However, you can also deselect the Continue Learning setting. When this setting is disabled, the baseline data from the original learning period is maintained going forward and is not updated.

The Persist Data setting, when enabled, keeps the filter on disk in between connection runs. This default behavior works for most configurations. You might want to disable this setting if you are trying to replicate the behavior of the removed Unique Values from Columns filter.

The Persist Data setting must be enabled for the learning period configuration to work.

You can also specify how often the filter, along with the learned baseline data, is periodically reset in the Scheduled Filter Reset Days setting.

Regular Expression

With the Regular Expression match option search, you choose a column in your results to evaluate against your regular expression. If any matches occur, the whole row that contains the matched column is returned as a result.

Connect uses regular expression syntax that is compatible with JavaScript.

Example

Suppose that you want to filter for only 100 Mbps Connections with the Link Speed sensor. The saved question is Get computer name and Tanium IP Address and Link Speed. Create a filter on the Link Speed column with the regular expression: (?!10000)(?!1000)(100). This particular example excludes 1000 and 10000, because by default these values are returned when searching for 100.

Numeric Operator

Filter on a specific numeric column in your data set. You specify the column name, an operation (greater than or less than) and a target value. The data set is evaluated, and only the rows that meet the condition specified are sent to the destination.