Filter
Top Products
2-27
Cisco NetFlow Collector User Guide
OL-11399-01
Chapter 2 Using the NetFlow Collector User Interface
Configuration
The Filter editor is applet-based. A tree on the left hand side of the filter editor shows the elements of
the filter. A form on the right hand side of the filter editor contains the attributes for the currently selected
item in the tree.
The top item of the tree contains a unique identifier for the filter. Directly beneath the top of the tree is
one filter condition or filter expression. Add the top-level filter condition or expression by selecting Add
condition or Add expression when the top item is selected.
A filter condition performs an equality check on the output value of a key builder that is invoked for each
flow. The type of a filter condition is either an integer condition, address condition, string condition, or
nde-source condition. Depending on which condition type you select, only the key builders that produce
that type of value can be selected. The nde-source condition checks the address of the device from which
the flow originated.
When creating a filter condition, specify:
• Whether the equality check is equals or not-equals
• Which key builder creates the value to be checked
In addition, an address condition accepts an optional integer mask value that is applied to the address
before the equality check is performed. If the mask field is left blank, no mask is applied.
Directly beneath the filter condition is one or more value orrange items. These determine the set of target
values to which the equality check is applied. Add a value or range to the filter condition by selecting
Add value or Add range. For an integer condition, only integer values and ranges can be entered; only
IP address values can be entered for address filter conditions. An nde-source condition accepts only IP
address values. Note that ranges cannot be entered for string filter conditions, only single values.
Boolean logic is applied to two or more filter conditions using a filter expression. A filter expression can
also appear within an expression in place of a filter condition.
To create a filter expression, specify the logical operator and, or, nand (not-and), or nor (not-or) and
select Add expression. An expression must contain at least two other conditions or expressions.
The conditions and expressions within an expression are evaluated in top-down order. Evaluation
performance for an expression can be optimized by placing conditions and expressions which are more
likely to occur to the top. Select an item then select Move to move the item up until it reaches the top;
selecting Move again cycles the item to the bottom.
Any item in the tree including the items beneath it can be removed by selecting Remove. Pressing the
back button on the browser also causes any changes to be discarded.
Note Remove items with care since no cut, paste, or undo capability is provided. Changes are not committed
until you select Update filter or Remove filter.
The symbol [ !]at the beginning of any item in the tree indicates that the configuration specified at that
level of the tree is incomplete and must be updated before the filter can be added or updated.
NetFlow Export Source Groups
By default, flows are aggregated with other flows from the source address of the originating device.
However, if multiple source addresses appear in one export Source Group, flows from these multiple
sources are aggregated together.
Note The collector must be restarted for configuration changes to an existing source group to take effect.