Complex Alert Queue Criteria (negation of patterns)

Document created by MichaelBoehm Employee on Apr 29, 2015Last modified by MichaelBoehm Employee on Apr 29, 2015
Version 2Show Document
  • View in full screen mode



more often I got asked to help in developing criteria for Alert Queues that are used to keep messages out of a specific queue.

Especially when using criteria that involve Boolean rules (and/or) this can get confusing.

The criteria for the Alert Queues do not contain logic such as  AND NOT, OR NOT, so we have to move the negation to the individual comparison parts.


I hope the following explanation is useful, how to achieve the expected result.


I suggest to always start with the criteria to include a specific message, and then update it to exlude it.

In the following examples I am using the Summary field of an Alert as criteria.


Case 1: "Message 1" should be excluded

include: Summary  Equal To  "Message 1"

exclude: Summary  Not Equal To  "Message 1"

That was the easy part





Case 2: "Message 1" and "Message 2" should be excluded

include: Summary  Equal To  "Message 1"   OR   Summary  Equal To  "Message 2"

To negate this, you have to be aware of the mathematical rule how to negate Boolean operators (Rules of de Morgan):

If you want to negate the condition, you have to negate the individual parts and toggle the operator. e.g. AND becomes OR,  OR becomes AND

Lets have a lok at this for the exclusion:

NOT (Summary  Equal To  "Message 1"   OR  Summary  Equal To  "Message 2")

= (Summary  Not Equal To  "Message 1"   AND   Summary  Not Equal To  "Message 2")






Case 3: "Message 1" and "Message 2" should be excluded, but "Message 2" consists of two parts we have to capture

include: Summary  Equal To  "Message 1"   OR   (Summary  Starts With  "Message 2 ABC"  AND  Summary  Ends With  "Message 2 XYZ")

Using the same method as above, we can create the rule for the exclusion.  Be aware of the two steps we need to fully resolve the transformation:

NOT (Summary  Equal To  "Message 1"   OR  (Summary  Starts With  "Message 2 ABC"  AND Summary  Ends With  "Message 2 XYZ") )

(Summary  Not Equal To  "Message 1"   AND NOT (Summary  Starts With  "Message 2 ABC"  AND  Summary  Ends With  "Message 2 XYZ") )

(Summary  Not Equal To  "Message 1"   AND (Summary  Does Not Start With  "Message 2 ABC"  OR Summary  Does Not End With  "Message 2 XYZ") )







Once you understand the concept, you can develop complex patterns, such as:


which will keep the following messages out of this queue, if they are coming from the SNMP Connector (which is the first condition in this example):

  • Probe *** FAILED to start
  • Probe *** returns no-restart code (42)
  • Probe *** error = (1450) Insufficient system resources exist to complete the requested service
  • Probe *** FAILED to start, file check determines changes in the probe
  • Connection error.  XYZ
  • Port unregister from active probe ***
  • Failed to send set_hub to spooler (communication error)
  • Connection Error. Could not connect to <IP Address>/48003. Please check that the server is running. Reason: n/a
  • Connection Error. SSL connection to <Hostname (<IP Address>)> failed. Reason: n/a


If you have any further questions about this, you can contact me at MichaelBoehm


I am aware that the criteria for above mesages would be easier if you use Regular Expressions, but this feature (RegEx for Alert Queues) was built into SOI in a later release, and I wanted to explain the concept that can be used in every version of SOI.