8 Replies Latest reply on Jul 14, 2016 3:55 AM by mark.healey

    Filtering (Node Related Syslog Messages) by Message Like not working

    chris.schear

      I have the (Node Related Syslog Messages) resource added to a Node Details view.  The node has the following (example) syslog messages:

       

      --------------------

      11/9/2012 02:48 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
      11/9/2012 02:47 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
      11/9/2012 02:47 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
      11/9/2012 02:47 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
      11/9/2012 02:45 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
      11/9/2012 02:44 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
      11/9/2012 02:43 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed the 'enable' command.
      11/9/2012 02:43 PM     10.20.30.40     10.20.30.40   : User priv level changed: Uname: USERID From: 1 To: 15
      11/9/2012 02:43 PM     10.20.30.40     10.20.30.40   : Login permitted from 10.10.10.102/59462 to management:10.20.30.40/ssh for user "USERID"
      11/9/2012 02:05 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show running-config
      11/9/2012 02:04 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show running-config
      11/9/2012 02:04 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show configuration
      11/9/2012 02:03 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed the 'enable' command.
      11/9/2012 02:03 PM     10.20.30.40     10.20.30.40   : User priv level changed: Uname: USERID From: 1 To: 15
      11/9/2012 02:03 PM     10.20.30.40     10.20.30.40   : Login permitted from 10.10.10.10/45697 to management:10.20.30.40/ssh for user "USERID"

      --------------------

       

      I want to filter out all the "User 'USERID' executed cmd: show conn" from the resource so I have defined the following filter:

       

      Message NOT Like '*show conn*'

       

      Save...resource still shows.  If I edit the filter and remove "NOT", exactly same result.  I'm at a loss why a filter with a "like" or a "not like" returns the same data.