Hi James,
Yep that was me. We now have the advanced filtering documented for the app, see this link:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.lsmapp.doc/t_Qapps_LSM_using.htmlThe gist of it is you start your query with
advanced: so the interpreter knows you're doing a structured query rather than a free text search, and you follow that with your query which follows the API filtering syntax defined here:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.3/com.ibm.qradar.doc/c_rest_api_filtering.html and uses the set of fields available in the log source API as documented here:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.3/com.ibm.qradar.doc/11.0--config-event_sources-log_source_management-log_sources-GET.htmlFor your specific case where you're trying to filter out any log sources of Log Source Type Wincollect DSM, you would want a search string like so:
advanced: type_id != 246246 is the ID for the "WinCollect DSM" log source type.
Hope this helps!
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Wed April 22, 2020 09:14 AM
From: James Hill
Subject: Log Source Management App - Advanced filters
I belive I have seen a demo of the Log Source Management App where the host utilised filters in the search bar to ANDNOT log sources.
From memory it was something along the lines of
show all logsources but !=WinCollect DSM
The Host may have been @COLIN HAY in Munich last year.
Does anyone have a suggestion on how to impliment filters within the search of Log Source Management App?
------------------------------
JH
------------------------------