Re: [Echelog-devel] Filter Attributes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On St, 2003-01-15 at 15:05, Benoit DOLEZ wrote:

Hi!

> In the filter module, it is possible to filter with defined fields of
> the message type. But each echelog entry having predefined fields because of the
> echelog protocol (in the header): agent_ip, instance_id, date. 
> I would like to known how to build filter like.
>
> Rule {
>     MSG SimpleLog
>     COND AGENT_INSTANCE_ID == 'rrd0'
>     PASS Splitter
> }
>
> Benoit

I'm not sure if the Filter is able to filter anything but message chunks
by attributes. I think it'd need an enhancement to support this. Marek 
should know more.

The filter rules must conform to following regular expression:

( MSG  msg_name  
  (COND  attribute_name cond_type  value ( value-part-n )*)* 
  ( ((PASS | PASS_DISCARD)  output1  ( outputN )*) | DISCARD ) ) 
| ( MSGALL PASS  output1  ( outputN )* ) )

where msg_name is a message type name,
attribute_name is an attribute name (of the selected message)

I think there are also some minor issues concerning the complex echelog
types (thus attributes) filtering conditions -- Filter doesn't allow
simply testing complex types (attribute instances). That is you can't
write:

#Incorrect
Rule { 
    MSG SessionMessage 
    COND FOO == null foo2 foo3 
    PASS out1 
}

But you have to workaround this as

Rule {
    MSG SessionMessage 
    COND FOO.alt2 == foo2 
    COND FOO.alt3 == foo3 
    PASS out1 
}

In this context I'd suggest to enhance Rules MSG confition to support
better message-by-header filtering not just by message type. 
Thus condition
   MSG SessionMessage 
would be an alias for 
   MSG.type == SessionMessage
and other header condition rules would be:
   MSG.msg_time
   MSG.subrecords
   MSG.agent_id
   MSG.agent_instance_id
   MSG.agent_host_id
   MSG.flags -- allowed condition values: BASIC, INCREMENTAL, AGGREGABLE

Kamil