Hi,
more often I got asked to help in developing criteria for Alert Queues that are used to keep messages out of a specific queue.
Especially when using criteria that involve Boolean rules (and/or) this can get confusing.
The criteria for the Alert Queues do not contain logic such as AND NOT, OR NOT, so we have to move the negation to the individual comparison parts.
I hope the following explanation is useful, how to achieve the expected result.
I suggest to always start with the criteria to include a specific message, and then update it to exlude it.
In the following examples I am using the Summary field of an Alert as criteria.
Case 1: "Message 1" should be excluded
include: Summary Equal To "Message 1"
exclude: Summary Not Equal To "Message 1"
That was the easy part
Include:
Exclude:
Case 2: "Message 1" and "Message 2" should be excluded
include: Summary Equal To "Message 1" OR Summary Equal To "Message 2"
To negate this, you have to be aware of the mathematical rule how to negate Boolean operators (Rules of de Morgan):
If you want to negate the condition, you have to negate the individual parts and toggle the operator. e.g. AND becomes OR, OR becomes AND
Lets have a lok at this for the exclusion:
NOT (Summary Equal To "Message 1" OR Summary Equal To "Message 2")
= (Summary Not Equal To "Message 1" AND Summary Not Equal To "Message 2")
Include:
Exclude:
Case 3: "Message 1" and "Message 2" should be excluded, but "Message 2" consists of two parts we have to capture
include: Summary Equal To "Message 1" OR (Summary Starts With "Message 2 ABC" AND Summary Ends With "Message 2 XYZ")
Using the same method as above, we can create the rule for the exclusion. Be aware of the two steps we need to fully resolve the transformation:
NOT (Summary Equal To "Message 1" OR (Summary Starts With "Message 2 ABC" AND Summary Ends With "Message 2 XYZ") )
= (Summary Not Equal To "Message 1" AND NOT (Summary Starts With "Message 2 ABC" AND Summary Ends With "Message 2 XYZ") )
= (Summary Not Equal To "Message 1" AND (Summary Does Not Start With "Message 2 ABC" OR Summary Does Not End With "Message 2 XYZ") )
Include:
Exclude:
Once you understand the concept, you can develop complex patterns, such as:
which will keep the following messages out of this queue, if they are coming from the SNMP Connector (which is the first condition in this example):
- Probe *** FAILED to start
- Probe *** returns no-restart code (42)
- Probe *** error = (1450) Insufficient system resources exist to complete the requested service
- Probe *** FAILED to start, file check determines changes in the probe
- Connection error. XYZ
- Port unregister from active probe ***
- Failed to send set_hub to spooler (communication error)
- Connection Error. Could not connect to <IP Address>/48003. Please check that the server is running. Reason: n/a
- Connection Error. SSL connection to <Hostname (<IP Address>)> failed. Reason: n/a
If you have any further questions about this, you can contact me at MichaelBoehm
I am aware that the criteria for above mesages would be easier if you use Regular Expressions, but this feature (RegEx for Alert Queues) was built into SOI in a later release, and I wanted to explain the concept that can be used in every version of SOI.