Some portlets let you use filters to limit and focus the displayed information.
Filters do not make sense for certain portlets – RSS feeds and HTML pages, for example – and are not used on the pre-configured portlets that are installed with the Carbon Black App Control Server. If the portlet you are creating or editing includes a filtering capability, a Filters panel displays on the Portlet Details page. The following illustration shows the initial building blocks of a portlet filter.
The initial filter view shows the top-level group operator. You must add at least one expression — a set of parameters that can be evaluated as true or false against Carbon Black App Control data. For example, to have the filter include only those computers containing “Laptop” in their name in the portlet data, you can create the following filter.
Each expression consists of a parameter — some kind of data that is available in the Carbon Black App Control database, an expression operator, and a value. You can select the parameter and operator from menus that vary depending on the type and subtype of portlet. Type in the value you want to match.
Every expression belongs to a group, even if the group includes only one expression. While an expression might evaluate to true on its own, the group operator determines whether the group is true, as shown in the following table.
| Operator |
Effect |
|---|---|
|
|
If all expressions in the group are true, the group is true. For the top-level group, this means that data for which all expressions in the group are true is displayed in the portlet. |
|
|
If at least one expression in the group is true, the group is true. For the top-level group, this means that data for which at least one expression in the group is true is displayed in the portlet. |
|
|
If at least one expression in the group is false, the group is true. For the top-level group, this means that data for which at least one expression in the group is false is displayed in the portlet. |
|
|
If all expressions in the group are false, the group is true. For the top-level group, this means that data for which all expressions in the group are false is displayed in the portlet. |
With AND as the group operator and a single expression, if the expression is true, the group is true, and the data matching the expression is included in the portlet. However, adding expressions and using other operators can provide more powerful and complex filters.
The following Graph Settings were used to create the "Top 5 Computers with First Seen Files" portlet. No filter was used.
The "Top 5 Computers with First Seen Files" portlet displays the five computers that have the most first seen files.
There is no filter on this data. You can, for example, eliminate data for files that were on computers when the agent was installed, and instead focus on anything that arrived afterward. To accomplish this, add an expression and create a filter to eliminate “initialized” files. The filter removes files present at initialization from the data used by the portlet.
To further fine-tune your portlet, you can eliminate all files that identify “Microsoft Corporation” as the publisher because you know that you installed several Microsoft applications on all computers after initialization and it is not necessary to track these in your portlet. To accomplish this, change the group operator to OR and create a new expression to produce a filter.
The filter removes files present at initialization and files whose metadata shows Microsoft Corporation as the publisher or company from the data used by the portlet.
As long as you can use the same group operator to accomplish your goal, you can continue adding expressions to a group.
