cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 13

kiwi syslog filter brocken:Only filters Priority field NO others

Jump to solution

hello

the filter display mechanism is broken. the tool ONLY  filters on the priority field , all other fields are ignored

running V 9.4.1

this is the NON web view

even though filters are screening the message area, the tool does not match. only matches are made in the Priority field

as you can see, the first line should match the filter that is selected , yet it is ignored and only matches the priority field

kiwi-syslog-patternmatch brocken-CL-12jan2015.png

Labels (2)
1 Solution

yes/no

i know how to apply the highlighting, but

"Highlighting rules are evaluated from the top-down, and any Syslog messages which match a given rule will have the given highlight-effects applied."

this quote from the page link  is very vague

when i disable the priority field matching at the end of the list

the message high field matching at the top of the list starts to work

this tells me that it goes through the whole list and thus the bottom gets priority over the top of the list

from what i see, it keeps on going through the list and applies the LAST highlight affected

this is unexpected and unwanted

View solution in original post

0 Kudos
13 Replies
Level 15

What types of filters are you wanting to set up?  Please post a screenshot of your filter settings.

0 Kudos

done in the original post

see above

0 Kudos

Are you setting up highlighting or a filter within a rule?

0 Kudos

i set up highlighting.

as can be seen above ONLY the ones the specify the priority field get executed.

any other fields are ignored even if the needed logs occur or are entered higher up the order in the definitions

i showed an example in the log when i want to highlight the DENY statement, it gets ignored and only the priority field gets observed

do you have any suggestions, i am stumped

0 Kudos
0 Kudos

yes/no

i know how to apply the highlighting, but

"Highlighting rules are evaluated from the top-down, and any Syslog messages which match a given rule will have the given highlight-effects applied."

this quote from the page link  is very vague

when i disable the priority field matching at the end of the list

the message high field matching at the top of the list starts to work

this tells me that it goes through the whole list and thus the bottom gets priority over the top of the list

from what i see, it keeps on going through the list and applies the LAST highlight affected

this is unexpected and unwanted

View solution in original post

0 Kudos

Apologies for the delay in getting back to you, but this is a defect and is not working as described in the documentation and how it should work.  We have opened a bug against this to get this fixed, nice catch!

This is still broken in 9.4.2

when will it be fixed to match what is documented?

0 Kudos

I am checking into this with Dev to validate/confirm the behavior.

0 Kudos
Level 11

Hi wanine39,

I played with this feature before and seems the highlighting rules are evaluated from the top-down, hence if you have multiple rules matches a Syslog, the rule nearest the bottom will end up being applied.

0 Kudos

i disabled  all the priority fields and VOILA, it now matches the message filed. Thanks AIRSUN

i am stumped again as to how the rules are ordered and selected.

this is NOT like how firewall Access list rules work

SOLARWINDS, please speak up and  clarify the processing order. it looks random now

0 Kudos

tnx

the rules should be applied top down as per the documentation. this is the same for access lists. first match wins

so far it only matches the  priority field ie any other field is ignored

That makes sense and I like it too if the rule works like an ACL, first match wins, but unfortunately it doesn't work that way. Moving on, to solve your issue you may try to move important rules to the bottom part, that is moving Rule - Message field with "Deny udp" to very bottom and see if it take effect. You may use the Green Down arrow key to move it.

Hope it helps.