 |
Index for
Section 5 |
|
 |
Alphabetical
listing for E |
|
 |
Bottom of
page |
|
EvmFilter(5)
NAME
EvmFilter - Event filter
DESCRIPTION
An event filter is used to tell the EVM daemon what are considered
interesting events from the subscriber's viewpoint. If the client does not
set a filter, it will receive no events.
An event filter may be specified with the Event Viewer and the user
commands to select events for viewing or processing.
A filter is an ASCII character string - it can be very simple or
arbitrarily complex. Complex filters are created by combining simple
filters.
A simple filter has the following format:
[keyword expr] | 0 | 1
The format of expr is specific to the type of filter. The left and right
square brackets ([ and ]) are required. The values for keyword and the
associated expr are the following:
name event-name-specifier
Selects events with a name matching the event-name-specifier. Names
are considered to match when the event name matches as many components
as included in the filter.
The event-name-specifier may include the * and the ? characters as
wildcards in any component position. The * represents 0 or more
components with any value. The ? represents exactly one component.
Any event-name-specifier includes an implied trailing .* wildcard.
priority equality-operator integer
Only events with a priority meeting the specified evaluation will be
passed. The integer value may be 0 to 700, inclusive. See the table
following for a description of equality-operator. May be specified as
prio.
timestamp time-range-specifier
All events with a timestamp that is within the time-range-specifier are
passed. See the description of time-range-specifier following. May be
specified as time.
before absolute-time-specifier
All events with a timestamp that is earlier than the absolute-time-
specifier are passed. See the description of absolute-time-specifier
following.
since absolute-time-specifier
All events with a timestamp that is equal to or later than the
absolute-time-specifier are passed. See the description of absolute-
time-specifier following.
host_name host-name
All events posted from the machine host-name are passed. May be
specified as host.
cluster_name cluster-name
All events posted from the cluster cluster-name are passed. May be
specified as cluster.
event_id equality-operator integer
All events with an event_id meeting the specified evaluation will be
passed. See the EvmEvent(5) reference page for a description of the
event_id. See the table following for a description of equality-
operator. May be specified as id.
0 A filter value of 0 passes no events.
1 A filter value of 1 passes all events.
The available equality-operator specifiers are shown in the following
table.
________________________________
Operator Meaning
________________________________
= Equal
> Greater Than
< Less Than
>= Greater Than or Equal
<= Less Than or Equal
!= Not Equal
________________________________
A time-range-specifier consists of seven colon-separated fields in the
following format:
year:month-of-year:day-of-month:day-of-week:hours:minutes:seconds
Any component in the time range may be replaced by an asterisk (*)
character as a wildcard, meaning that any value in this component will
match the filter. You can specify multiple discrete values for a component
by separating them with a comma. You can specify a range by using a hyphen
to separate the starting and ending values for the range.
An absolute-time-specifier is very similar to the time-range-specifier. It
has only six components, and does not allow the use of wild cards. It has
the following format:
year:month-of-year:day-of-month:hours:minutes:seconds
In both forms of time specification, the range of values for each component
is shown in the following table.
____________________________
Specifier Range
____________________________
year 1970 to 2030
month-of-year 1 to 12
day-of-month 1 to 31
day-of-week 0 (Sun) to 6
hours 0 to 23
minutes 0 to 59
seconds 0 to 59
____________________________
Any expression may be inverted (logically negated) by the use of the NOT
operator, the exclamation mark (!).
A complex filter is composed of two or more simple filters, combined using
the AND (&) and OR (|) logical operators. Component filter expressions may
be grouped in parentheses (( and )) to set the precedence of test
operations. The order of precedence of logical and grouping operators
(highest to lowest) is:
( ) ! & |
Event filters can be direct or indirect. A direct filter is a text string
appearing at the point of filter specification. An indirect filter is
contained in a file, and is referred to using the following syntax:
@filename[:filtername]
See the evmfilterfile(4) reference page for more information about using
indirect filters.
If an event being evaluated does not contain the item being compared in a
filter expression, the expression always yields no match. For example, if
the timestamp is missing and you include the before keyword in a filter
string, that part of the filter will return no match.
EXAMPLES
The following table shows a number of filter specifications, and the
interpretation given to each.
_______________________________________________________________
Filter String Interpretation
_______________________________________________________________
"[name *]" Any named event.
"[name myco.*]"
All events with names that
start with myco.
"![name myco.*]"
All events with names that
do not start with myco.
"[name ?.?.?]"
Any event with a name that
has at least three
components.
"[name myco.myapp.*]"
Any event with a name that
has the first two
components myco.myapp.
"[name myco.myapp]"
Any event with a name that
has the first two
components myco.myapp.
Identical in meaning to
the previous filter
string.
"[name sys.unix.syslog]"
Events which have
sys.unix.syslog as the
first three components of
the name.
"[name myco.myapp.*.showme]"
Any event name that starts
with the components
myco.myapp and ends with
showme, no matter how many
components are included
between.
"[time 1999:6:1:*:*:*:*]"
Any event posted on June
1st, 1999.
"[time 1999:6:1,3:*:*:*:*]"
Any event posted on June
1st or June 3rd, 1999.
"[time 1999:6:1-3:*:*:*:*]"
Any event posted between
June 1st and June 3rd,
1999.
"[time 1999:6:1-3,5-7:*:*:*:*]"
Any event posted between
June 1st and June 3rd,
1999, or between June 5th
and June 7th, 1999,
inclusive.
"[time *:*:*:*:00-02:*:*]"
All events occurring
between midnight and
2:59:59 a.m. inclusive.
"[since 1999:6:1:03:00:00]"
All events occurring after
3:00 a.m. on June 1st,
1999.
"[before 1999:6:1:03:00:00]"
All events occurring
before 3:00 a.m. on June
1st, 1999.
"[prio > 500]"
All events with priority
greater than 500
"[name myco.myapp] & [pri >= 500]"
All events that have names
starting with myco.myapp
and priority at least 500.
"[name myco.myapp] | [pri >= 500]"
All events that have names
starting with myco.myapp
or that have priority at
least 500.
"[name sys.unix.syslog] &
[time 1999:6:1-3:*:*:*:*]"
All syslog events
occurring on June 1, 2 or
3.
"0"
Passes no events.
"1"
Passes all events.
"@sys"
Specifies an indirect
filter. The filter string
is the default filter
contained in a filter file
named sys or sys.evf.
"@sys:advfs"
Specifies an indirect
filter. The filter string
is the filter named advfs
contained in a filter file
named sys or sys.evf.
_______________________________________________________________
SEE ALSO
Commands: evmget(1), evmshow(1), evmwatch(1)
Routines: EvmConnSubscribe(3)
Files: evmfilterfile(4),
Event Management: EVM(5)
EVM Events: EvmEvent(5)
|
Index for
Section 5 |
|
|
Alphabetical
listing for E |
|
 |
Top of
page |
|