8.5 Event Filters and Filtering Events


8.5 Event Filters and Filtering Events

An event filter is what you use to get certain events from the EVM subsystem. Think of it as putting qualifiers on the items on your shopping list.

If you were to say, "I want to buy a musical recording," that would bring you to a store with hundreds or even thousands of recordings.

By saying "I want to buy a musical recording on CD," you've narrowed down your search a little. But let's get a little more specific.

"I want to buy a musical recording on CD that was recorded in the last two years by a popular Blues guitarist."

8.5.1 Event Keywords

Event filters help us to narrow down the number of events that we're looking for. Tru64 UNIX defines several keywords (see Table 8-4) to assist with narrowing the scope of events.

Table 8-4: Event Filter Keywords

click to expand

Event keywords can also be combined to form complex filters. A complex filter is two or more keywords combined with one of the defined logical operators:

  • AND (you can use the AND keyword or the "&").

  • OR (you can use the OR keyword or the "|").

  • NOT (you can use the NOT keyword or the "!").

For example:

 [name *.evm] AND [prio <= 500] AND NOT [before 2001:03:24:00:00:00] 

Return all "evm" events with a priority less than or equal to 500 before March 24, 2001.

To ensure proper sequence of a complex filter, you can include filters in parentheses "(" and ")" as well.

 ([name *.evm] | [name ?.?.?]) & [age <= 2d] 

Return all "evm" events or any event that contains three components and is less than or equal to two days old.

To utilize a filter, you use the "-f" switch on the evmget, evmwatch, evmshow(1), or evmsort(1) commands. For example:

 # evmget –f "([name *.evm] | [name ?.?.?]) & [age <= 2d]" 

For more information, see the EvmFilter(5) reference page.

8.5.2 Event Filter Files

In addition to event keywords, there is a way to create complex filters and store them for reuse (kind of like an environment variable). These reusable filters can be stored in filter files.

Tru64 UNIX and TruCluster Server include several filter files. These filter files are located in /usr/share/evm/filters. Event filter files have an extension of ".evf". Table 8-5 shows the filter file directories and the order in which they are searched.

Table 8-5: EVM Filter File Directories

Event Filter File Directories

Directory

Search order[*]

Description

Current working directory

1

$ HOME/.sysman/evmfilters

2

User-defined filter files should be placed in this directory.

/var/evm/adm/filters

3

Site-specific filter files should be placed in this directory.

/usr/share/evm/filters

4

Filter files provided by Tru64 UNIX and TruCluster Server are located in this directory.

[*]-can be overrideen by EVM_FILTERDIR environment variable

To override the file search order, you can define the EVM_FILTERDIR environment variable.

Event filter files have the following syntax:

 filter {        name         filter_name        value        filter_value        include      filter_element        exclude      filter_element        title        filter_title        } 

The filter_name is the name of your filter. The filter_value is a keyword filter string. The filter_element for the "include" (logical OR) and "exclude" (logical AND NOT) attributes are keyword filter strings you can use to further refine your filter. Finally, the filter_title attribute is a description of the filter. For example:

 filter {     name      "scsi"     value     "[name @SYS_VP@.binlog.hw.scsi]"     title     "Binlog SCSI events" } 

This filter is from the binlog.evf file located in the /usr/share/evm/filters directory. To use this filter, you would use the following syntax: "@filter_file:filter_name". To use the scsi filter from the binlog filter file, use: "@binlog:scsi". Notice that this filter does not contain an "include" or "exclude" attribute. There can be any number of "include" or "exclude" attributes per filter definition.

 filter {   name         net   value        "[name @SYS_VP@.hw.net]"   include      "[name @SYS_VP@.clu.clua]"   exclude      "[prio < 200]"   exclude      "[age > 1w]" } 

This is an example that defines a filter by the name of net that will retrieve events that match the name of sys.unix.hw.net or sys.unix.clu.clua, as long as the events have a priority greater than 200 and the events have not occurred longer than one week ago.

In other words, you could create a filter file and use this command:

 # evmget –A –f @myFilterfile:net 

Or type this command:

 # evmget –A -f "[name *.hw.net] | [name *.clu.clua] & ![prio < 200] & ![age > 1w]" 

Note

The @SYS_VP@ value is a macro that defines "vendor" and "product name". What does the macro resolve to?

 # evminfo –vp sys.unix 

You should use this value instead of using the actual value. This will accomplish two tasks:

  1. It makes your filter files portable.

  2. It gives the vendor the freedom to change their product name without giving you more work to do.

For additional information on event filter files, see the evmfilterfile(5) reference page.




TruCluster Server Handbook
TruCluster Server Handbook (HP Technologies)
ISBN: 1555582591
EAN: 2147483647
Year: 2005
Pages: 273

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net