Operator Definitions - BMC Impact Manager Knowledge Base Reference Guide. Version

equals or ==

Tests the equality of the two members of a Boolean expression. It evaluates to TRUE if <expr1> and <expr2> have the same value. The operator works across valid data types for slots.

Syntax:

where [ <expr1> equals <expr2> AND/OR ...]

Example:

where [ $THIS.hostname equals ‘myhost’ ]

where [ ($THIS.repeat_count + 1) == $THAT.value ]

not_equals or !=

Tests the equality of the two members of a Boolean expression. It evaluates to TRUE if <expr1> and <expr2> do not have the same value. The operator works across valid data types for slots.

Syntax:

where [ <expr1> not_equals <expr2> AND/OR ...]

within

Evaluates to TRUE if the value of <expr1> is contained in the list of values.

Syntax:

where [ <expr1> within [<list of values>] AND/OR ...]

outside

Syntax:

where [ <expr1> outside [<list of values>] AND/OR ...]

between

Tests for the value of <expr1> between specified lower and upper limits.

Syntax:

where

[ <expr1> between [<minimum value>, <maximum value>] ]

greater_than or >

Compares two expressions. It evaluates to TRUE if <expr1> has a value greater than <expr2>. The operator works across valid data types for slots.

Syntax:

where [ <expr1> greater_than <expr2> AND/OR ... ]

smaller_than or less_than or <

Compares two expressions. It evaluates to TRUE if <expr1> has a value smaller than <expr2>. The operator works across valid data types for slots.

Syntax:

where [ <expr1> smaller_than <expr2> AND/OR ...]

greater_or_equals or >=

Compares two expressions. It evaluates to TRUE if <expr1> has a value greater than or equal to <expr2>. The operator works across valid data types for slots.

Syntax:

where [ <expr1> greater_or_equals <expr2> AND/OR ...]

smaller_or_equals or less_or_equals or <=

Compares two expressions. It evaluates to TRUE if <expr1> has a value smaller than or equal to <expr2>. The operator works across valid data types for slots.

Syntax:

where [ <expr1> smaller_or_equals <expr2> AND/OR ...]

has_prefix

Tests the characters at the beginning of an expression of type STRING. The filter returns TRUE when <expr2> is a prefix of the STRING value contained in <expr1>.

Syntax:

where [ <expr1> has_prefix <expr2> AND/OR ...]

has_suffix

Tests the characters at the end of an expression of type STRING. The filter returns TRUE when <expr2> is a suffix of the STRING value contained in <expr1>.

Syntax:

contains

Tests whether an expression of type STRING contains a specified string. You also can use this operator in combination with a list of strings. In this second situation, the goal is to determine whether the expression, of type

STRING, contains each of the strings specified in the list that follows the operator. If the string specified after the operator is an empty string (‘’), the test fails.

Syntax:

where [ <expr1> contains [ ‘<string1>’,‘<string2>’] | [ <list> contains <expr> ] AND/OR ... ]

contains_one_of

Tests whether the expression, of type STRING, contains one of the strings specified in the list that follows the operator. If the string specified after the operator is an empty string (‘’), the test fails.

Syntax:

where [ <expr1> contains_one_of

[ ‘<string1>’,‘<string2>’] AND/OR ... ]

contained_in

Enables testing for whether an expression of type STRING is found in the string provided after it. If the slot value to be tested is an empty string, the test fails.

Syntax:

where [ <expr1> contained_in ‘bbbbbb t:abcdef fgsg’ ]

If the event under analysis has msg = ’abcdef’, the event filter is satisfied.

matches

Performs basic pattern matching to expressions of type STRING. It is less powerful than actual regular expressions but still offers valuable

functionality while remaining simpler to use.

Syntax:

where [ <expr1> matches <expression> ]

Explanation

You must reduce a string to its components to determine whether a slot value of an event can be evaluated as a match by a rule. Some of these components are explicitly specified, others are defined as any decimal number (integer), any real number, or any string. These are designated by the strings %d (decimal number), %f (real number), and %s (a string). A string (%s) is terminated either by the first occurrence of the character that follows it in the pattern, or the end of the slot value text. A decimal is any series of integers, possibly preceded by a minus sign (-). A real number is a series of integers with an optional decimal point or period

(.) anywhere in the sequence, possibly preceded by a minus sign. For example: 3 matches %d, %f, or %s -3 matches %d, %f, or %s 3. matches %f or %s -3. matches %f or %s .3 matches %f or %s -.3 matches %f or %s 3.3.2 matches only %s [^a-z] matches only %s Fred matches only %s

Anything other than a string, decimal or real value must match exactly, with the exception of spaces. A single space in the pattern matching formula matches one or more contiguous spaces from the expressions

<expr1>.

For example,

where [ $THIS.msg matches ‘%s %d’ ]

This matches ‘Eagle 1’ or ‘[missing] 378’ or even ‘12 34’, but

not‘Missing number’ or ‘loopback 127.0.0.1’.

ip_greater_or_equals

This operator is useful in testing slot values or expressions that represent IP addresses. These slot values are, in fact, of type STRING and it is only the interpretation of the string that determines whether it represents an IP address. The test succeeds if the slot value represents an IP address which is either equal to or greater than the one specified after the operator ip_greater_or_equals in the range of IP addresses.

Example:

where

[ $THIS.origin ip_greater_or_equals ’10.10.10.100’ ]

The rule executes if the value of the slot origin for the event under analysis represents an IP address in the range between

’10.10.10.100’ and ’10.10.12.255’. If the value of origin is

’10.10.10.100’ or ’10.10.12.255’ or ’10.10.11.140’ , the event filter is satisfied. An origin value of ’10.10.10.99’ or

’10.10.13.1’ or ’10.12.10.150’ does not satisfy the filter condition.

ip_smaller_or_equals

This operator is useful in testing slot values or expressions representing IP addresses. These slot values are, in fact, of type STRING and it is only the interpretation of the string that determines if it represents an IP address. The test succeeds if the slot value represents an IP address which is either equal to or less than the one specified after the operator

ip_smaller_or_equals in the range of IP addresses.

Example:

where [ <expr1> ip_smaller_or_equals ’10.10.12.255’]

The rule executes if the value of the slot origin for the event under analysis represents an IP address falling in the range between

’10.10.10.100’ and ’10.10.12.255’. If the value of origin is

’10.10.10.100’ or ’10.10.12.255’ or ’10.10.11.140’ , the event filter is satisfied. An origin value of ’10.10.10.99’ or

’10.10.13.1’ or ’10.12.10.150’ does not satisfy the filter condition.

ip_matches

Expresses combined conditions on the different bytes composing an IP address. This operator works on slot values or expressions that are of type STRING and assumes that the value represents an IP address. The value is matched against a formula built on the principle of the dot notation for IP addresses. The formula is composed of four components, one for each byte of the IP address, and the components are separated with dots.

Syntax:

where [ <expr1> ip_matches 195.<128.*.>25 ]

Each of the four components can be one of the following:

• a number between 0 and 255

This number must be the value of the corresponding byte in the slot value representing an IP address.

• The value of the corresponding byte in the slot value representing an IP address can be anything.

• > followed by a number between 0 and 254

The value of the corresponding byte in the slot value representing an IP address must be greater than the number which follows the greater than sign (>).

• < followed by a number between 1 and 255

The value of the corresponding byte in the slot value representing an IP address must be smaller than the number which follows the less than sign (<).

The ip_matches operator works on data type STRING. The operator assumes that <expr1> contains an IP address and <value> provides a pattern to match.

ip_matches

The following are valid patterns:

• * match any number • <# match number less than • ># match number greater than

• * value can be a base data type, a slot value, a global record, or an interface

• ** values is a ’LIST OF’

superclass_of

This operator can be used to compare two classes, either event classes or data classes. The comparative information may be a variable or

hard-coded string. It succeeds if <CLASS1> is an equal or superclass of <CLASS2>.

Syntax:

where [ <CLASS1> superclass_of <CLASS2> ]

The special slot CLASS can be used to reference the class of an instance, as in $EV.CLASS.

subclass_of

This operator can be used to compare two classes, either event classes or data classes. The comparative information may be a variable or

hard-coded string.

Succeeds if <CLASS1> is an equal or a subclass of <CLASS2>.

Syntax:

where [ <CLASS1> subclass_of <CLASS2> ]

The special slot CLASS can be used to reference the class of an instance, as in $EV.CLASS.

In document BMC Impact Manager Knowledge Base Reference Guide. Version (Page 166-174)