Operators used in log management filters and operators used in filters in Interactive Analytics do not have a one-to-one correspondence by name. However, you can select operators that produce similar results for both formats.

This difference is important when you use the Run in Interactive Analytics menu item from the following tabs in the Log Management page:
  • Log Masking
  • Log Filtering
  • Log Forwarding
  • Index Partitions
For example, if you have a log management filter of matches *foo* and select the menu item Run in Interactive Analytics, the Interactive Analytics query equates the log management filter to match regexp ^.*foo.*$, which might not match all the same log events.

Another example is matches foo, which when run on Interactive Analytics is treated as contains foo. Because the Interactive Analytics function also searches keyword queries, contains foo is likely to match more events than matches foo.

You can change the operators used by Interactive Analytics to address these differences.

  • Change the contains operator to matches regex.
  • Change occurrences of * from log management filters to .* and prefix filter terms with .*. For example, change the event filter expression matches *foo* to matches regex .*foo.* for Interactive Analytics.
  • For the does not match operator from event filters, you can use the matches regex operator with a regex look ahead value. For example, does not match *foo* is equivalent to matches regex .*(?!foo).*