Unified Log Source: Filter with Predicates

The log out can be filtered in case only a specific type of logs are required or the data load needs to be limited. The option is directly forwarded to the built-in log command in the configuration for each channel.

Pattern Clauses

The filter expression matches one or more of the following pattern clauses:

  • eventMessage - specify a text pattern, or text, within the message, or an activity name.

  • processImagePath - this matches the text pattern in the name of the process which originated the event.

  • senderImagePath - this matches the text pattern in the name of the sender, which might be the name of a library, extension, or executable.

  • subsystem - this matches the subsystem specifier,for example. com.apple.TimeMachine. Although potentially valuable, subsystems are not yet widely used, and discovering which is which is not easy. Use with caution.

  • category - this matches the category, and should be used in conjunction with the subsystem filter; for the whole specifier com.apple.TimeMachine.TMLogInfo, the subsystem is com.apple.TimeMachine and the specifier is TMLogInfo.

  • eventType - matches the type of event, such as logEvent (1024), traceEvent (768), activityCreateEvent (513), or activityTransitionEvent (514). Can be given as characters (case-sensitive) or digits as shown in parentheses. Use these only with the operators == or !=, as they are treated as numbers rather than text.

  • messageType - matches the type of message for logEvent and traceEvent, and includes default (0), release (0), info (1), debug (2), error (16), and fault (17). Can be given as characters (case-sensitive) or digits as shown in parentheses. Use these only with the operators == or !=, as they are treated as numbers rather than text.

Operators

The following comparison and other operators are available:

  • == (or =) for equality

  • != or <> for inequality

  • >= or => for greater than or equal to

  • <= or =< for less than or equal to

  • > for greater than

  • < for less than

  • AND or && for logical and

  • OR or || for logical or

  • NOT or ! for logical not

  • BEGINSWITH, CONTAINS, ENDSWITH, LIKE, MATCHES for string comparisons, using regex expressions when desired; strings can be compared with case insensitivity and diacritic insensitivity by appending [cd] to the operator, for example. CONTAINS[c] means case-insensitive comparison

  • UTI-CONFORMS-TO, UTI-EQUALS support comparison of UTIs like com.adobe.pdf

  • ANY, SOME, NONE, IN, and array operators are available but unlikely to be used

  • FALSE, TRUE, NULL have their expected literal meanings.