Export (0) Print
Expand All

Applying and Managing View Filters

After you display message data in one or more of the Message Analyzer data viewers, you can apply a View Filter to reduce the scope of the presented data in a viewer according to filtering criteria that you define. You might use a View Filter to isolate specific information while still preserving the original contents of a trace. For example, after you apply a filter expression in the View Filter group on the Ribbon of the Message Analyzer Home tab, you can simply undo the filtering action by selecting the Remove or Remove and Clear Text command. A View Filter, like a Selection Filter or Trace Filter, is based on the Filtering Language, as described in Writing Filter Expressions.

By default, the filtering action of a View Filter impacts only the selected view in which you apply the filter, meaning that its action is specific to the current in-focus viewer only. The default action is initiated by clicking the Apply Filter icon in the View Filter group on the Ribbon of the Message Analyzer Home tab.

Tip  You can also apply a View Filter by using the keyboard shortcut Ctrl+Enter and you can remove an applied View Filter by using the keyboard shortcut Ctrl+Shift+Enter.

Note  A View Filter does not alter the original message data that you capture live or import into Message Analyzer. Whenever you run a Trace Session or Browse Session, a View Journal is automatically created as a repository for the results. A View Filter simply allows you to return a subset of View Journal data to your session viewer based on specified filtering criteria, for analysis purposes.

Using the Filter Expression Library
Message Analyzer provides a centralized Filter Expression Library that contains predefined filters that you can apply as a View Filter to data displaying in a chosen message viewer. For example, you might apply the predefined Filter Expression *SourcePort == IANA.Port.SMB to the Protocol Dashboard viewer to filter for messages from any protocol that have a top-level SourcePort field equal to 445. You could then double-click the bar in the Top Level Protocol Summary bar chart corresponding to the filtered messages and automatically display them in the Analysis Grid viewer for further examination.

You can also create your own custom Filter Expression to apply to a chosen data viewer. However, if you create your own Filter Expression, it is subject to successful compilation verification; otherwise you will be unable to use it. Note that Message Analyzer enables you to manually perform a quick compilation verification for Selection Filters and Trace Filters before you start an import or trace, as a matter of convenience when you are developing a Filter Expression. If you do not validate the Filter Expression, a process automatically kicks in and performs the compilation check. If the Filter Expression is invalid, an error message displays and you will either need to correct the expression or abandon it; otherwise, the filter you configured will be applied to the data. However, note that there are no facilities to manually perform compilation verification for View Filters. In either circumstance, any filter that you intend to apply is verified as a valid Filter Expression before its application, otherwise you will receive a compilation error.

Creating View Filters from the Analysis Grid
You can also apply a View Filter very quickly to your data by right-clicking most columns in the Message Analyzer Analysis Grid viewer column layout and selecting the Add <columnName> to Filter command from the menu that displays. The columnName value in this command is a placeholder for the actual name of the Analysis Grid viewer column containing the data value that you right-click. The column name is automatically retrieved and displayed in the right-click menu, and when you select it, Message Analyzer builds a Filter Expression based on existing message data values, for example IPv4.Destination==192.168.1.1 or TCP. As a result, these filters are guaranteed to return results.

Note  A Filter Expression such as TCP is called an atomic filter in Message Analyzer. An atomic filter is a simple, left-hand side only filter that does not use any operators or combinators such as OR, AND, or NOT.

Creating View Filters from the Details Window
Similar to the way you create a right-click View Filter from the Analysis Grid viewer, you can also create a View Filter from the Details tool window on the Message Analyzer Home tab, by right-clicking any field in the Name column of the Details tool window and selecting the Add <fieldName> to Filter menu item. The fieldName value in this command is a placeholder for the actual field name in the Name column.

If the Details tool window is not displayed, select the Details item from the Tool Windows drop-down in the Windows group on the Ribbon of the Message Analyzer Home tab to restore it.

Managing View Filters as Shared Items
Your local View Filter Library contains a default collection of Filter Expression items plus any items that you create, and you can share all of these items with others. To do this, Message Analyzer provides a simple way to expose your Filter Expression items to others for sharing, or to retrieve Filter Expressions that others have shared. You can share your View Filter Library items directly with others by using the Export feature in the Manage Filter dialog to save one or more Filter Expression items to a designated file share. You can also use the Import feature in the same dialog to access Filter Expression items that have been shared by others. The Manage Filter dialog is accessible by selecting the Manage Filters item from the View Filter Library drop-down in the View Filter group on the Ribbon of the Message Analyzer Home tab.

In addition, you can share your Filter Expression items through a user feed that you configure in the Message Analyzer Sharing Infrastructure. You can create your own feed from the Settings tab on the Message Analyzer Start Page and it will appear on the Downloads page. Thereafter, you can update existing Filter Expression items or add others and make them available to team members or other users through the configured feed, where they can view, synchronize, and download them from the Downloads or Settings tabs. However, the synchronization aspect of the publishing feature on user feeds requires some manual configuration at this time to enable updates, as described in Manual Item Update Synchronization.

Message Analyzer also has a default subscriber feed on the Start Page that enables you to download View Filter item collections from a Microsoft web service and to synchronize with item collection updates that are periodically pushed out by the service, as useful View Filter items are developed at Microsoft for the community of Message Analyzer users. To receive these updates that will appear in the Message Analyzer category of your local View Filter Library, you must set the Filters collection to the auto-sync state on the Message Analyzer Start Page. At any time, you can perform a download of an auto-synced collection from the Settings tab on the Start Page.


More Information
To learn more about applying View Filters, see Filtering Message Data.
To learn more about the Filtering Language and how to write filter expressions, see Writing Filter Expressions.
To learn more about sharing Message Analyzer Library items, including further details about the common Manage <Items> dialog, see the Sharing Infrastructure topic.
To learn more about auto-syncing item collections, see Managing Item Collection Downloads and Updates.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft