Configuring a filter

A filter block consists of one or more rules. These rules are applied to the input stream of messages in the order in which they appear in the block. Once a rule has been satisfied, no further rules are applied to the current message.

Filter rules have a fixed format that is fully described in eels_config(4eels). The rule syntax is:

   include | exclude field_name operation value
   	[ bool_op field_name operation value ]

include

Include log messages that match the following criterion. To include all log messages use the reserved word ``all'' in place of a selective criterion.

exclude

Exclude log messages that match the following criterion. To exclude all log messages use the reserved word ``all'' in place of a selective criterion.

field_name

The name of the column within the log message to which the rule will be applied. The set of column names within the EELS database are described in ``Database table overview''.

operation

The relational operator to apply to field_name. Possible operations are:

==

Equals

!=

Not equals

~

Contains

value

The value to use with the operation in determining the rule.

bool_op

A boolean operator for joining together two or more sets of field_name operation value. Possible operators are:

&&

And

||

Or

If you wanted to filter out only messages that contain the word ``error'', you could use a filter block similar to this:

   filter example_filter {
   	exclude  "EventSpecificInformation ~ 'error'"
   	include  "all";
   }

1. include "EventSpecificInformation == '*'"

2. exclude "EventSpecificInformation ~ 'error'"

1. exclude "EventSpecificInformation ~ 'error'"

2. include "EventSpecificInformation == '*'"