This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Filtering (Node Related Syslog Messages) by Message Like not working

I have the (Node Related Syslog Messages) resource added to a Node Details view.  The node has the following (example) syslog messages:

--------------------

11/9/2012 02:48 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
11/9/2012 02:47 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
11/9/2012 02:47 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
11/9/2012 02:47 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
11/9/2012 02:45 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
11/9/2012 02:44 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show conn
11/9/2012 02:43 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed the 'enable' command.
11/9/2012 02:43 PM     10.20.30.40     10.20.30.40   : User priv level changed: Uname: USERID From: 1 To: 15
11/9/2012 02:43 PM     10.20.30.40     10.20.30.40   : Login permitted from 10.10.10.102/59462 to management:10.20.30.40/ssh for user "USERID"
11/9/2012 02:05 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show running-config
11/9/2012 02:04 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show running-config
11/9/2012 02:04 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed cmd: show configuration
11/9/2012 02:03 PM     10.20.30.40     10.20.30.40   : User 'USERID' executed the 'enable' command.
11/9/2012 02:03 PM     10.20.30.40     10.20.30.40   : User priv level changed: Uname: USERID From: 1 To: 15
11/9/2012 02:03 PM     10.20.30.40     10.20.30.40   : Login permitted from 10.10.10.10/45697 to management:10.20.30.40/ssh for user "USERID"

--------------------

I want to filter out all the "User 'USERID' executed cmd: show conn" from the resource so I have defined the following filter:

Message NOT Like '*show conn*'

Save...resource still shows.  If I edit the filter and remove "NOT", exactly same result.  I'm at a loss why a filter with a "like" or a "not like" returns the same data.

  • Its a SQL type filter so try % instead of * and it should work.

    Sohail Bhamani

    Loop1 Systems

    http://www.loop1systems.com

  • No change.  And, I would mention the filter examples are:

    --------------------------------------------

    Filters can be complex SQL statements

    (Vendor Like 'Cisco') AND ( (MessageType Like 'PIX*') OR (MessageType Like 'SYS*') )

    (Nodes.DNS Like '*.SolarWinds.Net') OR (SysLog.IPAddress Like '10.1.*')

    (Message NOT Like '*outside*') AND (Message NOT Like '*inside*')

    --------------------------------------------

    I tried * and %, no change.

  • Those examples have been historically wrong in various places.

    The other thing you can try is in the Syslog viewer application, you can create a syslog alert to find those specific messages and just discard them.  They wont show up then for sure.

    Sohail Bhamani

    Loop1 Systems

    http://www.loop1systems.com

  • Good point.  I'll just go that route.

  • The syntax to apply on the last xx syslog messages widget is MESSAGE NOT like '%login Failed%' This works fine in NPM 10.3.1

  • Using 11.0.1 here, and we are not seeing any behavior that indicates that anything is even reading this Filter box at all.

    We have entered all varieties of %, *, single quotes and double quotes, all with no effect at all.

    It doesn't even produce query errors, as shown when we entered the string Nonsense String into the Filter, and it just return the latest 25 syslog messages for the node, unfiltered.

    And the statement that "Those examples have been historically wrong in various places." remains hilariously typical of the sort of things that just never get addressed, improved, or even commented on by SW support staff, program managers, and even the long time users.

    Seriously, how does nobody do anything about the examples being wrong, let alone the fact that the filter box appears to be ignored by the system completely.

    Amazing.

  • We have entered all varieties of %, *, single quotes and double quotes, all with no effect at all.

    Sounds like a bug.  I haven't seen that before so it may only be triggered in certain environments.  Not sure.  Could you perhaps open a support ticket for proper triage and escalation if necessary?: SolarWinds Customer Support - We're Here to Help

    If you note the ticket number here, I can track it as well.

    And the statement that "Those examples have been historically wrong in various places." remains hilariously typical of the sort of things that just never get addressed, improved, or even commented on by SW support staff, program managers, and even the long time users.

    Examples are the opposite of helpful if they don't work, surely.  Definitely we want to keep those up to date and we try to do so.  We'll address the issue you found as suggested above.  If you or anyone else is aware of specific examples of others, we'd be happy to work on addressing those as well.  Just respond here or shoot me a message directly.

  • I had exactly the same problem.

    I'm using the Last 25 Syslog Events widget instead, which does default to only pulling the last 25 events from that node, and accepts the code used in the examples.

    For example, I'm having it show only the emergency level events received over the past 7 days.