✅ DO
- Use the Filter Wizard for complex queries
- Quote all string values properly
- Test filters before using in automation
- Use epoch seconds for date comparisons
- Group related conditions with parentheses
Filter Queries
The Logic.Monitor PowerShell module provides powerful filtering capabilities through the -Filter parameter available in most Get commands. You can also use the Build-LMFilter cmdlet to help construct complex filters. Some cmdlets include a -FilterWizard parameter automatically.
Filter Syntax
The filter syntax supports the following operators:
| Operator | Description | Example |
|---|---|---|
| -eq | Equal | name -eq 'myserver' |
| -ne | Not equal | hostStatus -ne 'dead' |
| -gt | Greater than | id -gt 100 |
| -lt | Less than | severity -lt 4' |
| -ge | Greater than or equal | alertCount -ge 5 |
| -le | Less than or equal | alertCount -le 10 |
| -contains | Contains | displayName -contains 'prod' |
| -notcontains | Does not contain | name -notcontains 'test' |
| -and | Logical AND | displayName -contains 'web' -and hostStatus -eq 'normal' |
| -or | Logical OR | hostStatus -eq 'dead' -or hostStatus -eq 'normal' |
Using the Filter Wizard
The module includes a Filter Wizard to help construct complex filters visually:
To use the Filter Wizard:
# Launch the Filter WizardBuild-LMFilter
# Use the generated filter with any Get commandGet-LMDevice -Filter (Build-LMFilter)
# Use builtin filter wizard parameterGet-LMDeviceGroup -FilterWizardCommon Filter Examples
Simple Filters
# Find devices by statusGet-LMDevice -Filter 'hostStatus -eq "normal"'
# Find devices by name patternGet-LMDevice -Filter 'displayName -contains "web"'
# Find devices by collectorGet-LMDevice -Filter 'preferredCollectorId -eq 1'
# Get critical alertsGet-LMAlert -Filter 'severity -eq "4"'
# Find active usersGet-LMUser -Filter 'status -eq "active"'Multi-Condition Filters
# Devices with AND conditionsGet-LMDevice -Filter 'hostStatus -eq "normal" -and displayName -contains "prod"'
# Devices with OR conditionsGet-LMDevice -Filter 'hostStatus -eq "dead" -or hostStatus -eq "down"'
# Unacknowledged critical alertsGet-LMAlert -Filter 'severity -eq "4" -and acked -eq "$false"'
# Users by email domainGet-LMUser -Filter 'email -contains "@company.com"'
# Devices not in specific groupGet-LMDevice -Filter 'hostGroupIds -notcontains "123"'Complex Filters
# Devices with custom properties (requires JSON escaping)Get-LMDevice -Filter 'customProperties -eq "{\"name\":\"environment\",\"value\":\"production\"}"'
# Grouped conditionsGet-LMDevice -Filter '(hostStatus -eq "normal" -and displayName -contains "web") -or displayName -contains "critical"'
# Date-based filters$thirtyDaysAgo = [int][double]::Parse((Get-Date).AddDays(-30).ToUniversalTime().Subtract((Get-Date "1/1/1970")).TotalSeconds)Get-LMDevice -Filter "lastDataTime -lt '$thirtyDaysAgo'"
# Multiple property checksGet-LMAlert -Filter 'severity -ge "3" -and acked -eq "$false" -and inSDT -eq "$false"'
# Complex user filteringGet-LMUser -Filter 'roles -contains "administrator" -and status -eq "active" -and twoFAEnabled -eq "$true"'Date Filtering Examples
# Get devices not reporting in last 30 days$thirtyDaysAgo = [int][double]::Parse((Get-Date).AddDays(-30).ToUniversalTime().Subtract((Get-Date "1/1/1970")).TotalSeconds)Get-LMDevice -Filter "lastDataTime -lt '$thirtyDaysAgo'"
# Get alerts from last 24 hours$lastDay = [int][double]::Parse((Get-Date).AddHours(-24).ToUniversalTime().Subtract((Get-Date "1/1/1970")).TotalSeconds)Get-LMAlert -Filter "startEpoch -gt '$lastDay'"
# Get SDTs scheduled for next week$nextWeek = [int][double]::Parse((Get-Date).AddDays(7).ToUniversalTime().Subtract((Get-Date "1/1/1970")).TotalSeconds)Get-LMSDT -Filter "startDateTime -lt '$nextWeek'"Best Practices
❌ DON'T
- Don’t forget to escape special characters
- Don’t use invalid operator combinations
- Don’t skip testing complex filters
- Don’t hardcode dates (use dynamic epoch conversion)
Key Guidelines
# ✓ Correct - properly quotedGet-LMDevice -Filter 'name -eq "myserver"'Get-LMDevice -Filter "name -eq 'myserver'"
# ✗ Wrong - missing quotesGet-LMDevice -Filter name -eq myserver# ✓ Correct - convert to epoch seconds$epoch = [int][double]::Parse((Get-Date).AddDays(-30).ToUniversalTime().Subtract((Get-Date "1/1/1970")).TotalSeconds)Get-LMDevice -Filter "lastDataTime -lt '$epoch'"
# ✗ Wrong - using date object directlyGet-LMDevice -Filter "lastDataTime -lt '$(Get-Date)'"# ✓ Correct - escaped JSONGet-LMDevice -Filter 'customProperties -eq "{\"name\":\"env\",\"value\":\"prod\"}"'
# Better - use Filter Wizard for complex property filtersBuild-LMFilter# ✓ Correct - logical groupingGet-LMDevice -Filter '(hostStatus -eq "normal" -and displayName -contains "web") -or priority -eq "high"'
# ✓ Also correct - simple conditionsGet-LMDevice -Filter 'hostStatus -eq "normal" -and displayName -contains "web"'Testing Filters
You can test your filters before using them:
# Test a filter queryTest-LMAppliesToQuery -Query 'system.hostname =~ "prod"'
# Preview filter resultsGet-LMDevice -Filter 'hostStatus -eq "active"' | Select-Object id, displayName, name