This is an old revision of the document!
Filters in QoE reports
Description and cases
Filters in reports allow the user to filter data by certain criteria. This is convenient for quick search of necessary information in large volumes of data.
Report filtering takes place in the QoE sections of the analytics: Netflow, Raw full netflow, Clickstream, Raw clickstream.
Before applying filters to reports, you must select data by a specific time interval using the "Period" field:
There are two options for selecting a period:
- Custom range — arbitrary Start and End of period, set manually;
- Quick ranges — ready-made date and time intervals, selectable from the list given.
Case 1. Filtering by subscribers
Used when you want to track the activity of a specific subscriber, a pool of subscribers or a list of subscribers.
1. Select the "Subscriber" filter;
2. Customize the filter by one of three options:
| Single subscriber |  |
| Subscriber pool |  |
| Subscriber list |  |
3. Enable the filter by checking the checkbox to the left of the filter to be configured;
4. Click "Apply".
Case 2. Filtering by resource
It is used if you need to find subscribers who have visited a specific resource or list of resources.
- Select the "Host" filter;
- Select the "=" or "like" operator;
- Enter the name of the resource;
- Enable the filter by checking the checkbox to the left of the filter to be configured;
- Click "Apply".
To filter by list of resources, follow the principle from Case 1. Filtering by subscribers → Subscriber list.
Case 3. Filtering by CIDR address
Used if you want to filter data by a specific IP address with a subnet mask.
- Select the "Subscriber" filter;
- Select the "in CIDR's" operator;
- Enter the IP address with subnet mask;
- Enable the filter by checking the checkbox to the left of the filter to be configured;
- Click "Apply".
Lists filters available in QoE Analytics sections
Netflow
| Field | Explanation | Frequently used operators |
|---|---|---|
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Subscriber | Subscriber IP address | =likein CIDR’snot in CIDR’s |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Host IP | Host IP address | =likein CIDR’snot in CIDR’s |
| Protocol | Net protocol Example: TCP 6 | =like |
| App protocols groups | The filter value is selected from a drop-down list with protocol groups | innot in |
| Application protocol | Example: https 443 | =like |
| Subscriber`s AS number | The AS number assigned to a particular subscriber. Each request to or from a subscriber has the same AS number | =like |
| Host`s AS number | The AS number assigned to a specific host. Each request to or from a host has the same AS number | =like |
| Host category | The filter value is selected from a drop-down list with categories | innot in |
| Infected traffic category | Available Categories: Botnet hosts (Kaspersky) Malicious hosts (Kaspersky) Phishing hosts (Kaspersky) | innot in |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Post nat source IPv4-address | An IP address converted from private to public by NAT to communicate with external devices and access the Internet | =likein CIDR’snot in CIDR’s |
| Post nat source port | A port converted by NAT from private to public for communicating with external devices and accessing the Internet | =like |
| Class | Traffic classes cs0 through cs7. See Quick Start: Tariff Plan and Captive Portal for more details. 0 — cs0 1 — cs1 … 7 — cs7 | =like |
| DSCP | Extended traffic class values. See Traffic prioritization depending on protocols and directions for details. | =like |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
| MPLS labels | Labels responsible for the transmission of data packets on the network. It is transmitted in base64 format. Example: C7pB/w== | =like |
Raw full netflow
| Field | Explanation | Frequently used operators |
|---|---|---|
| Session ID | Session identifier Example: 101292583003281746 | =like |
| Source IPv4-address | IPv4 address of the request source. If the request is from a subscriber - the subscriber address will be specified here, if vice versa - the host address | =likein CIDR’snot in CIDR’s |
| Source IPv6-address | IPv6 address of the request source. If the request is from a subscriber - the address of the subscriber will be specified here, if vice versa - the address of the host | =like |
| Source port | Port of the request source. If the request is from a subscriber - the port of the subscriber will be specified here, if vice versa - the port of the host | =like |
| Source AS number | AS number of the request source. If the request is from a subscriber - the subscriber's AS will be specified here, if vice versa - the host's AS. | =like |
| Destination IPv4-address | IPv4 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =likein CIDR’snot in CIDR’s |
| Destination IPv6-address | IPv6 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =like |
| Destination port | Port of the request recipient. If the request is directed to the host - the host port will be specified here, if vice versa - the subscriber's port | =like |
| Destination AS number | AS number of the request recipient. If the request is sent to the host, the host's AS will be specified here, if vice versa - the subscriber's AS. | =like |
| Net protocol | Example: TCP 6 | =like |
| Application protocol | Example: https 443 | =like |
| App protocols groups | The filter value is selected from a drop-down list with protocol groups | innot in |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Subscriber | Subscriber IP address | =likein CIDR’snot in CIDR’s |
| Subscriber`s AS number | The AS number assigned to a particular subscriber. Each request to or from a subscriber has the same AS number | =like |
| Subscriber`s port | A port assigned to a specific subscriber. Each request to or from a subscriber has the same port | =like |
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Host`s AS number | The AS number assigned to a particular subscriber. Each request to or from a subscriber has the same AS number | =like |
| Host`s port | A port assigned to a specific host. Every request to or from a host is the same port | =like |
| Host IP | Host IP address | =likein CIDR’snot in CIDR’s |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Post nat source IPv4-address | An IP address converted from private to public by NAT to communicate with external devices and access the Internet | =likein CIDR’snot in CIDR’s |
| Post nat source port | A port converted by NAT from private to public for communicating with external devices and accessing the Internet | =like |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
| VLAN ID | The identifier of the VLAN through which traffic entered. Specified by a number, example: 4038 | =like |
| Post VLAN ID | The identifier of the VLAN through which the traffic exited. Specified by a number, example: 4031 | =like |
| MPLS labels | Labels responsible for the transmission of data packets on the network. It is transmitted in base64 format. Example: C7pB/w== | =like |
| Class | Traffic classes cs0 through cs7. See Quick Start: Tariff Plan and Captive Portal for more details. 0 — cs0 1 — cs1 … 7 — cs7 | =like |
| DSCP | Extended traffic class values. See Traffic prioritization depending on protocols and directions for details. | =like |
| Octet delta | Traffic difference (in bytes) at the beginning and at the end of the specified period | =like |
| Packet delta | Difference of IP packets at the beginning and at the end of the specified period | =like |
Clickstream
| Field | Explanation | Frequently used operators |
|---|---|---|
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Subscriber | Subscriber IP address | =likein CIDR’snot in CIDR’s |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Device | Allows you to understand from which device the request was made | =like |
| Host IP | Host IP address | =likein CIDR’snot in CIDR’s |
| Url | Domain + address where the subscriber went to | =like |
| Host category | The filter value is selected from a drop-down list with categories | innot in |
| Infected traffic category | Available Categories: Botnet hosts (Kaspersky) Malicious hosts (Kaspersky) Phishing hosts (Kaspersky) | innot in |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Locked | Possible values: 0 - unlocked traffic 1 - locked traffic | =!= |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
Raw clickstream
| Поле | Пояснение | Часто используемые операторы |
|---|---|---|
| Session ID | Session identifier Example: 101292583003281746 | =like |
| Source IPv4-address | IPv4 address of the request source. If the request is from a subscriber - the subscriber address will be specified here, if vice versa - the host address | =likein CIDR’snot in CIDR’s |
| Destination IPv4-address | IPv4 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =likein CIDR’snot in CIDR’s |
| Source IPv6-address | IPv6 address of the request source. If the request is from a subscriber - the address of the subscriber will be specified here, if vice versa - the address of the host | =like |
| Destination IPv6-address | IPv6 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =like |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Path | The address to which the subscriber went | =like |
| Referer | The resource from which the request came. Used for redirection: the address from which the user went to the redirection page is memorized | =like |
| User agent | Allows you to understand from which device the request was made | =like |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Locked | Possible values: 0 - unlocked traffic 1 - locked traffic | =!= |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
Operators
| Оператор | Описание | Формат ввода данных |
|---|---|---|
= | Возвращает записи, равные введенному значению | |
!= | Возвращает записи, не равные введенному значению | |
like | Возвращает записи, содержащие определённый шаблон символов | |
ilike | Работает так же, как like, но не зависит от регистра | |
not like | Возвращает записи, не содержащие определённый шаблон символов | |
not ilike | Работает так же, как not like, но не зависит от регистра | |
match | Возвращает записи, соответствующие регулярному выражению – последовательности специальных символов, формирующих паттерн или шаблон, который сопоставляется со строкой | Формат ввода и примеры см. по ссылке |
not match | Возвращает записи, не соответствующие регулярному выражению | Формат ввода и примеры см. по ссылке |
> | Возвращает записи, которые больше введенного значения | |
>= | Возвращает записи, которые больше или равны введенному значению | |
< | Возвращает записи, которые меньше введенного значения | |
<= | Возвращает записи, которые меньше или равны введенному значению | |
in | Позволяет вводить несколько значений и возвращает все, что совпали со значениями из списка. Каждое значение нужно вводить с новой строки | Каждое значение с новой строки |
not in | Позволяет вводить несколько значений и возвращает все, кроме тех, что совпали со значениями из списка. Каждое значение нужно вводить с новой строки | Каждое значение с новой строки |
between | Возвращает записи, где выражение находится в диапазоне значений value1 и value2 включительно | Каждое значение с новой строки |
not between | Возвращает все записи, где выражение не находится в диапазоне между value1 и value2 включительно | Каждое значение с новой строки |
in CIDRs | Позволяет вводить несколько значений CIDR и возвращает все, что совпали со значениями из списка. Каждое значение нужно вводить с новой строки | 192.0.2.32/27 Каждое значение с новой строки |
not in CIDRs | Позволяет вводить несколько значений CIDR и возвращает все, кроме тех, что совпали со значениями из списка. Каждое значение нужно вводить с новой строки | 192.0.2.32/27 Каждое значение с новой строки |
Checks whether a string matches a simple regular expression. The regular expression can contain the metasymbols:
- % indicates any quantity of any bytes (including zero characters).
- _ indicates any one byte.
For an example of using a regular expression, see Case 1. Filtering by subscribers → Subscriber Pool.