 |
» |
|
|
|
This section introduces event filters and relates them to
the evmshow command examples from the previous section. Filtering
technique is described in detail in later sections of this document.
The full filter syntax is defined in EvmFilter(5). An Event Manager event filter is a text string that informs
Event Manager which events you want to retrieve. For example, the
filter string [priority >= 600] selects
events that have a priority of 600 or higher. A filter can be very
simple, but the filter language is powerful, and with some practice
you can easily build and store a filter expression that defines
precisely the set of events that you want to monitor. Filters are
used by several of the Event Manager command-line utilities, by
the Event Manager logger, and by system daemons and client applications. The evmshow, evmget, and evmwatch commands support the -f option which
you can use to specify a filter string. You can select the events
to be displayed from the my_events file, as shown in the following example: # export EVM_SHOW_TEMPLATE="@timestamp [@priority] @@"
# cat my_events | evmshow -f "[priority >= 600]" | more |
In this example, the -f option specifies
the filter, and selects events that have a priority of 600 or higher.
The command reads all events from the file, but returns only those
events that match the filter string. If you know the names of the events you want to retrieve,
you can specify them in a filter, as shown in the following example: # cat my_events | evmshow -f "[name sys.unix.procsm.category.create._catname.esmd]" | more |
You can use wildcard characters in place of name components
as follows: An asterisk (*)
character matches zero or more complete components A question mark (?) matches exactly
one complete component
For example, enter the following command to shorten the preceding example
command: # cat my_events | evmshow -f '[name *.category.create._catname.esmd]' | more |
The wildcard asterisk matches the components sys.unix.procsm.category.
To avoid any possibility that the shell expand the wildcard character
with filenames, enclose the filter string in single quotes instead
of the double quotes. This is always a wise precaution if special
characters are used in shell commands. When you filter by name, Event Manager assumes that there
is a wildcard .* at the end of the name string,
even if it is not included in the command. Therefore, you may receive
events with more name components than you specify. The following
two commands are equivalent to each other, but the final wildcard
(.*) in the first command is unnecessary: # cat my_events | evmshow -f '[name *.category*]'
# cat my_events | evmshow -f '[name *.category]' |
You can find the names of events by specifying @name as
one of the items in your show-template when you run the evmshow command. Use the filter syntax to combine multiple conditions into
a single filter with the AND, OR,and NOT keywords,
and you can use parentheses to group conditions. In the following
example, the evmshow command selects all events whose names include
the component category, and that have a priority
of 200 or higher: # cat my_events | evmshow -f '[name *.category] and [priority >= 200]' |
In the following example, the keyword priority is
abbreviated to pri, and name is
abbreviated to na. Most filter keywords can be
abbreviated as described in EvmFilter(5). # cat my_events | evmshow -f '([na *.category] and [pri >= 200])' |
The examples in this section illustrate the most commonly
used filter keywords. When you are familiar with applying filters
to the evmshow command and the Event Manager commands described in the
following sections, you can use the more advanced filter features
to create and save useful filters, and to increase your ability
to select the events that are most interesting. For more information,
see “Advanced
Selection and Filtering Techniques”, and the
full syntax is given in EvmFilter(5). Advanced
Selection and Filtering Techniques | |
This section describes some additional filtering techniques
that you can use to further improve event selection, so that you
receive only the events in which you are interested. Following are
the filtering techniques: You can filter for events according to the time at which they
were posted by using the timestamp, before, since,
and age keywords. You may find that the age keyword
is the easiest of these keywords to use, and the most useful for
everyday operation. When you use the timestamp keyword, you must supply a string that defines
a time range in the following way: year:month-of-year:day-of-month:day-of-week:hours:minutes:seconds |
You can use an asterisk (*) as a wildcard
character for any of the components. To select events that occurred
on July 6, 2002, you can use the following commands: # export EVM_SHOW_TEMPLATE="@timestamp [@priority] @@"
# evmget -A -f '[timestamp 2002:7:6:*:*:*:*]' | more |
The asterisks (*) in the final four
components indicate that you are interested in all events that occurred
on that day, no matter what time they occurred. In addition, you
can specify one or more ranges in any position, as shown in the
following command: # evmget -A -f '[timestamp 2002:*:*:1-3,5:*:*:*]' | more |
The fourth component specifies the day of the week. Searching
for events with posting times in the range one to three or five
yields all events that were posted on a Monday, Tuesday, Wednesday
or Friday in the year 2002. The before and since keywords
use similar specifier strings. However, you cannot use wildcard
characters and there is no day of the week indicator. For example,
the following command discovers events that were posted after 3:00p.m.
on July 6, 2002: # evmget -A -f '[since 2002:7:6:15:0:0]' | more |
The age keyword provides a more convenient
and intuitive way to select events according to their timestamps.
As a system administrator, you may be interested in recent events
that indicate a system problem. You can combine the event filter's priority and age keywords
to find such events. For example, the following command sequence
shows all events with a priority of error (400) or higher, that
occurred either yesterday or today (the age of the event is less
than two days): # evmget -A -f '[pri >= 400] and [age < 2d]' | more |
In the previous example, 2d specifies
events that are less than 2 days old. You can specify an age in
seconds (s), minutes (m),
hours (h), days (d), or weeks
(w). For information about how each specifier
is used in calculating an event's age, see EvmFilter(5). You can use a more complex filter to return events that occurred
within a more specific period. The following example finds error
events that occurred more than three days ago, but less than six
days: # evmget -A -f '[pri >= 400] and ([age < 6d] and [age > 3d])' | more |
For detailed information on selecting events according
to their timestamps, and the full filter syntax, see EvmFilter(). Using the Event-Id to Select Events for Detailed
DisplayUsing the evmshow -d command option to display events can result in a large
amount of output and you may want to limit the number of displayed
events. Events that are posted through Event Manager contain a sequential
identifier known as the event-id. You can use
the event-id to select a specific event or a
range of events for detailed display. The event-id is not guaranteed to be unique
within any particular set of events, because the daemon's counter
is set to zero each time it is restarted. To ensure that an event
is unique, you must also use the timestamp when selecting events
as shown in the following example: # evmget -A -f '[age < 1d]' -t "@timestamp @event_id @@" | more |
15-Apr-1999 14:19:06 0 EVM daemon: Configuration completed
15-Apr-1999 14:19:06 1 EVM daemon: Initialization completed
15-Apr-1999 14:19:06 2 EVM logger: Logger started
15-Apr-1999 14:19:06 3 EVM: Mark event - initial
15-Apr-1999 14:19:06 5 EVM logger: Started eventlog /var/evm/evmlog/evmlog.19990415
[1] [2] |
Where: The age filter
keyword selects all events that have occurred today, as indicated
by the timestamp in the first column of data. The @event_id specifier
in the show template instructs the evmshow command to display the event-id for
each retrieved event, which is shown in the second column of data.
When the event-ids are displayed, you can
select the events. For example, use the following command to display
details of the initial mark event, which has an event-id of 3 in
the preceding example output: # evmget -f '[age < 1d] and [event_id = 3]' | evmshow -d | more |
You can select a range of events by using a more complex filter,
as shown in the following example: # evmget -f '[age < 1d] and [event_id >= 1] and [event_id <= 3]'| evmshow -d | more
|
Choose the time range carefully to select the right set of
events. If you recently rebooted your system, specify a filter of [age < 2h] to
select events occurring within the preceding two hours. Searching for Reserved Component NamesSome event names include reserved component names as name extensions.
These components begin with an underscore character (_), and
usually are followed by a component that identifies the item for which
the event is being posted. For example, the names of many hardware-related
events include the component _hwid, followed
by the numeric hardware identifier of the item. Reserved component
names are appended automatically as an extension to the event name.
The name is appended, followed by the value for the named variable.
This is done for every reserved component name. For example, an
event with the name @SYS_VP@.temperature_high and
the variable _degrees with the value 212 is observed
as an event with the name @SYS_VP@.temperature_high._degrees.212. You can search for all such events by the following command: # evmget -A -f '[name *._hwid]' | more |
If you know the hardware identifier of a specific device,
you can narrow the search for events related to that device by using
a command similar to the following: # evmget -A -f '[name *._hwid.4]' | more |
You can save a useful filter in a file and recall it by using
the Event Manager's indirect filter facility. Filter files have
names with the suffix .evf, and can contain any
number of named filters. For example, the following filter file
entry selects all evm user message events. filter {
name user
value "[name @SYS_VP@.evm.msg.user]"
title "All EVM user message events"
} |
In this example, the @SYS_VP@ is a standard
Event Manager macro that is replaced by sys.unix when
the filter is used. To use indirect filtering, specify the at (@)
sign , followed by the name of the file containing the filter instead
of a filter string, as shown in the following example: You need not include the .evf suffix
when you specify a filter file name in such commands. The previous example uses the first filter in the file, but
you can choose a different filter by specifying its name as follows: You can include as many filters as you want in a single file,
or you can keep each filter in its own file. The preceding example
specifies the evm filter, which is included in
the Event Manager. Other filters are provided in the /usr/share/evm/filters directory. Use these files as examples for establishing
your own filter library. The evmshow -F command option provides an easy way for you to view the
contents of a stored filter. The F option causes
the evmshow command to display the filter string and then exit without
reading any events. In the following example, the evmshow command displays the contents of the filter named user
stored in the evm.evf file: # evmshow -f @evm:user -F
( [name sys.unix.evm.msg.user] ) |
For complete information about the syntax of filter files,
and where to locate your files, see evmfilterfile(4) . | | | |  | NOTE: Do not edit the filter files provided in the /usr/share/evm/filters directory. Your changes may be overwritten without warning
by a future installation update. | | | | |
|
Printable version
