Filters in QoE reports
Description and cases
Filters in reports allow the user to filter data by certain criteria. This is convenient for quick search of necessary information in large volumes of data.
Report filtering takes place in the QoE sections of the analytics: Netflow, Raw full netflow, Clickstream, Raw clickstream.
Before applying filters to reports, you must select data by a specific time interval using the “Period” field:
There are two options for selecting a period:
- Custom range — arbitrary Start and End of period, set manually;
- Quick ranges — ready-made date and time intervals, selectable from the list given.
Case 1. Filtering by subscribers
Used when you want to track the activity of a specific subscriber, a pool of subscribers or a list of subscribers.
1. Select the “Subscriber” filter;
2. Customize the filter by one of three options:
| Single subscriber |  |
| Subscriber pool |  |
| Subscriber list |  |
3. Enable the filter by checking the checkbox to the left of the filter to be configured;
4. Click “Apply”.
Case 2. Filtering by resource
It is used if you need to find subscribers who have visited a specific resource or list of resources.
- Select the “Host” filter;
- Select the “=” or “like” operator;
- Enter the name of the resource;
- Enable the filter by checking the checkbox to the left of the filter to be configured;
- Click “Apply”.
To filter by list of resources, follow the principle from Case 1. Filtering by subscribers → Subscriber list.
Case 3. Filtering by CIDR address
Used if you want to filter data by a specific IP address with a subnet mask.
- Select the “Subscriber” filter;
- Select the “in CIDR's” operator;
- Enter the IP address with subnet mask;
- Enable the filter by checking the checkbox to the left of the filter to be configured;
- Click “Apply”.
Lists filters available in QoE Analytics sections
Netflow
| Field | Explanation | Frequently used operators |
|---|---|---|
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Subscriber | Subscriber IP address | =likein CIDR’snot in CIDR’s |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Host IP | Host IP address | =likein CIDR’snot in CIDR’s |
| Protocol | Net protocol Example: TCP 6 | =like |
| App protocols groups | The filter value is selected from a drop-down list with protocol groups | innot in |
| Application protocol | Example: https 443 | =like |
| Subscriber`s AS number | The AS number assigned to a particular subscriber. Each request to or from a subscriber has the same AS number | =like |
| Host`s AS number | The AS number assigned to a specific host. Each request to or from a host has the same AS number | =like |
| Host category | The filter value is selected from a drop-down list with categories | innot in |
| Infected traffic category | Available Categories: Botnet hosts (Kaspersky) Malicious hosts (Kaspersky) Phishing hosts (Kaspersky) | innot in |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Post nat source IPv4-address | An IP address converted from private to public by NAT to communicate with external devices and access the Internet | =likein CIDR’snot in CIDR’s |
| Post nat source port | A port converted by NAT from private to public for communicating with external devices and accessing the Internet | =like |
| Class | Traffic classes cs0 through cs7. See Quick Start: Tariff Plan and Captive Portal for more details. 0 — cs0 1 — cs1 … 7 — cs7 | =like |
| DSCP | Extended traffic class values. See Traffic prioritization depending on protocols and directions for details. | =like |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
| MPLS labels | Labels responsible for the transmission of data packets on the network. It is transmitted in base64 format. Example: C7pB/w== | =like |
Raw full netflow
| Field | Explanation | Frequently used operators |
|---|---|---|
| Session ID | Session identifier Example: 101292583003281746 | =like |
| Source IPv4-address | IPv4 address of the request source. If the request is from a subscriber - the subscriber address will be specified here, if vice versa - the host address | =likein CIDR’snot in CIDR’s |
| Source IPv6-address | IPv6 address of the request source. If the request is from a subscriber - the address of the subscriber will be specified here, if vice versa - the address of the host | =like |
| Source port | Port of the request source. If the request is from a subscriber - the port of the subscriber will be specified here, if vice versa - the port of the host | =like |
| Source AS number | AS number of the request source. If the request is from a subscriber - the subscriber's AS will be specified here, if vice versa - the host's AS. | =like |
| Destination IPv4-address | IPv4 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =likein CIDR’snot in CIDR’s |
| Destination IPv6-address | IPv6 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =like |
| Destination port | Port of the request recipient. If the request is directed to the host - the host port will be specified here, if vice versa - the subscriber's port | =like |
| Destination AS number | AS number of the request recipient. If the request is sent to the host, the host's AS will be specified here, if vice versa - the subscriber's AS. | =like |
| Net protocol | Example: TCP 6 | =like |
| Application protocol | Example: https 443 | =like |
| App protocols groups | The filter value is selected from a drop-down list with protocol groups | innot in |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Subscriber | Subscriber IP address | =likein CIDR’snot in CIDR’s |
| Subscriber`s AS number | The AS number assigned to a particular subscriber. Each request to or from a subscriber has the same AS number | =like |
| Subscriber`s port | A port assigned to a specific subscriber. Each request to or from a subscriber has the same port | =like |
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Host`s AS number | The AS number assigned to a particular subscriber. Each request to or from a subscriber has the same AS number | =like |
| Host`s port | A port assigned to a specific host. Every request to or from a host is the same port | =like |
| Host IP | Host IP address | =likein CIDR’snot in CIDR’s |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Post nat source IPv4-address | An IP address converted from private to public by NAT to communicate with external devices and access the Internet | =likein CIDR’snot in CIDR’s |
| Post nat source port | A port converted by NAT from private to public for communicating with external devices and accessing the Internet | =like |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
| VLAN ID | The identifier of the VLAN through which traffic entered. Specified by a number, example: 4038 | =like |
| Post VLAN ID | The identifier of the VLAN through which the traffic exited. Specified by a number, example: 4031 | =like |
| MPLS labels | Labels responsible for the transmission of data packets on the network. It is transmitted in base64 format. Example: C7pB/w== | =like |
| Class | Traffic classes cs0 through cs7. See Quick Start: Tariff Plan and Captive Portal for more details. 0 — cs0 1 — cs1 … 7 — cs7 | =like |
| DSCP | Extended traffic class values. See Traffic prioritization depending on protocols and directions for details. | =like |
| Octet delta | Traffic difference (in bytes) at the beginning and at the end of the specified period | =like |
| Packet delta | Difference of IP packets at the beginning and at the end of the specified period | =like |
Clickstream
| Field | Explanation | Frequently used operators |
|---|---|---|
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Subscriber | Subscriber IP address | =likein CIDR’snot in CIDR’s |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Device | Allows you to understand from which device the request was made | =like |
| Host IP | Host IP address | =likein CIDR’snot in CIDR’s |
| Url | Domain + address where the subscriber went to | =like |
| Host category | The filter value is selected from a drop-down list with categories | innot in |
| Infected traffic category | Available Categories: Botnet hosts (Kaspersky) Malicious hosts (Kaspersky) Phishing hosts (Kaspersky) | innot in |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Locked | Possible values: 0 - unlocked traffic 1 - locked traffic | =!= |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
Raw clickstream
| Field | Explanation | Frequently used operators |
|---|---|---|
| Session ID | Session identifier Example: 101292583003281746 | =like |
| Source IPv4-address | IPv4 address of the request source. If the request is from a subscriber - the subscriber address will be specified here, if vice versa - the host address | =likein CIDR’snot in CIDR’s |
| Destination IPv4-address | IPv4 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =likein CIDR’snot in CIDR’s |
| Source IPv6-address | IPv6 address of the request source. If the request is from a subscriber - the address of the subscriber will be specified here, if vice versa - the address of the host | =like |
| Destination IPv6-address | IPv6 address of the request recipient. If the request is directed to the host - the host address will be specified here, if vice versa - the address of the subscriber | =like |
| Login | Numeric designation of the subscriber in the billing system | =like |
| Host | Host Name. Examples: zen.yandex.ru. *.mail.ru 149.154.167.151:80 | =like |
| Path | The address to which the subscriber went | =like |
| Referer | The resource from which the request came. Used for redirection: the address from which the user went to the redirection page is memorized | =like |
| User agent | Allows you to understand from which device the request was made | =like |
| Vchannel/Bridge | Vchannel - vChannel number Bridge - number of the bridge through which the traffic goes The field specifies the Vchannel or Bridge value sent by DPI. Depending on the mode of operation, it sends either Bridge or Vchannel to which this or that IP has fallen. | =like |
| Locked | Possible values: 0 - unlocked traffic 1 - locked traffic | =!= |
| Traffic direction | Possible values: From subscriber To subscriber | =!= |
Operators
| Operator | Description | Data input format |
|---|---|---|
= | Returns records equal to the entered value | |
!= | Returns records that do not equal the entered value | |
like | Returns records containing the defined character pattern | |
ilike | Works the same as like but is case-insensitive | |
not like | Returns records that don't contain the defined character pattern | |
not ilike | Works the same as not like, but is case-insensitive | |
match | Returns records matching a regular expression, a sequence of special characters that form a pattern or template that maps to a string | See link for input format and examples |
not match | Returns records that don't match the regular expression | See link for input format and examples |
> | Returns records that are greater than the entered value | |
>= | Returns records that are greater than or equal to the entered value | |
< | Returns records that are less than the entered value | |
⇐ | Returns records that are less than or equal to the entered value | |
in | Allows multiple values to be entered and returns all that match the values in the list. Each value must be entered on a new line | Each value on a new line |
not in | Allows multiple values to be entered and returns all of them, except those that match values in the list. Each value must be entered on a new line | Each value on a new line |
between | Returns records where the expression is in the range of values value1 and value2 inclusive | Each value on a new line |
not between | Returns all records where the expression not is between value1 and value2 inclusive | Each value on a new line |
in CIDRs | Allows multiple CIDR values to be entered and returns all that match the values in the list. Each value must be entered on a new line | 192.0.2.32/27 Each value on a new line |
not in CIDRs | Allows multiple CIDR values to be entered and returns all, except those that match the values in the list. Each value must be entered on a new line | 192.0.2.32/27 Each value on a new line |
Checks whether a string matches a simple regular expression. The regular expression can contain the metasymbols:
- % indicates any quantity of any symbols (including zero symbols).
- _ indicates any one symbol.
For an example of using a regular expression, see Case 1. Filtering by subscribers → Subscriber Pool.