Adding more that 1 filter doesn't work about eventlogexpert HOT 11 CLOSED

Do you have an example or screenshot of what you are doing and what you expect the results should be?

from eventlogexpert.

from eventlogexpert.

Github does not show images if you reply via email, can you provide the filters you are using or attach via Github so I can try and reproduce this?

from eventlogexpert.

I've uploaded the image

from eventlogexpert.

It is because your filters are set to "Not Equals".

This is a tricky one because basically you are saying you want everything that doesn't equal "SChannel" OR everything that doesn't equal "Microsoft-Windows-HttpService". So when those 2 are combined you are not actually filtering anything out.

If you are just trying to exclude those 2 types of events then you should use sub filters with AND so it is all in one query (Source != "Schannel" && Source != "Microsoft-Windows-HttpService").

from eventlogexpert.

from eventlogexpert.

The multi filter logic was changed in a January release build (v24.1.29.1281) to support highlighting, filter groups and toggling all events.

So if we want to add multiple filters need to be done manually ?

If you are trying to exclude individual events one by one then yes, this will need to be done manually in a single filter with sub filters.

Because Is normal that when you're trying to check multiple logs to add the exclusions by only pressing the filter button

This is debatable as the intended usage is to look for specific things through "Equals" or "Contains", and with highlighting you will want to see multiple of these at a time. For example, if I am trying to visually explain why a system crashed or unexpectedly rebooted then I would have multiple filters saved (probably with highlighting) in a filter group to view specific events. If I wasn't completely sure exactly what event I am looking for then I would be using "Contains" to try and narrow down my search based on the issue I am troubleshooting.

Unfortunately, there isn't an easy way to make every scenario work. Right now, the Exclude context menu action when trying to exclude individual events one by one to try and find something useful when you aren't quite sure what you are looking for yet is one area that I am working on coming up with a better solution for.

from eventlogexpert.

I can see this as well. I filter out KDC, and include eventid 14554. I get eventID from other sources that are different:

When I add them both as "equal" term, it appears as if they are ORed, where previously they had implicit AND.
To get that you need an advanced filter, back to original:
Id == "14554" && Source != "Microsoft-Windows-Kerberos-Key-Distribution-Center"

But this is more clicks and you can't build it with right-clicking on an example event you want to see or exclude.

I would say that when you populate the filter using mouse-clicks we expect the implicit AND. As this often used to filter out noise.

in the perfect world, you could:

• change the implicit logical operator between standard filters
• convert the list of standard filter to an advanced filter and change the logical operator as needed.

from eventlogexpert.

Yes, previously they were AND and now they are OR to support the addition of highlighting, changes to sub filters and filter groups (see my previous comment). Having it set to AND made multiple filters with "Equal" or "Contains" only filter on what was already filtered and setting it to OR made multiple filters with "Not Equals" or "Not Contains" cancel each other out. There wasn't an easy way to have both options work.

change the implicit logical operator between standard filters

This is what my initial thoughts were to solve this issue, but it is easier said than done due to how the actual LINQ is done when filtering with multiple filters. Right now, this can be done via sub filters or the multi select option but unfortunately this also isn't easily solved when done via the right click context menu. For now, I think I may just set the exclude context menu to append to a single filter.

convert the list of standard filter to an advanced filter and change the logical operator as needed.

This may not be a bad idea or an option to convert all filters into a single basic filter with sub filters where AND/OR can be changed.

from eventlogexpert.

I've come with an idea on how I would like to resolve this, should hopefully have a PR ready for this sometime this week.

from eventlogexpert.

This change is available in today's prerelease build.

from eventlogexpert.