Nested Filtering

What is a one sentence summary of your feature request?

Create filters that include ‘and’ per row.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Ability to specify a filter that can only include a subset or exclude a subset of events without having to know all of the exclusions needed.

For example:

Action equals modified AND Details contain ‘index’ AND Who not equal to ‘sqlagent’

Actions other made by the ‘sqlagent’ can still be found.

How do you currently solve the challenges you have by not having this feature?

We have to create exclusions for every unrelated event.

Hello J C,

Thanks for sharing the idea. I want to make sure I fully understand the limitation you’re running into.

Based on your description (for example: Action = Modified AND Details contains “index” AND Who ≠ “sqlagent”), this combination of conditions already reflects how Auditor filters are applied today within a single filter set.

Could you please clarify:

• In which UI (Search, Reports, Alerts, etc.) you are configuring this filter?

• Whether the issue is related to OR logic between rows, grouping, or filter evaluation order?

• A screenshot of the filter configuration and the resulting events list would help a lot.

This will help determine whether this is a missing capability, a UX issue, or possibly a misunderstanding of current filter behavior.

Best regards,
Konstantin