VMware Cloud Community
ornlsa
Contributor
Contributor
‎11-02-2015 07:48 AM
Jump to solution

Filtering Events that are Forwarded

In Management area under Event Forwarding, I am trying to forward specific events by using the filter in the edit destination area. If I add something like (text matches) "security" "error" etc, I can test it with "Run in Interactive Analytics"  and get loads of events. But when i hit save, it does not send any data and has a state of idle.  I have let it sit this way for some time and nothing is being sent.

Also, if I remove the filter, it starts sending everything just fine, just too much...

Am I missing something here?

Tim

0 Kudos
1 Solution

Accepted Solutions
sflanders
Commander
Commander
‎11-22-2015 05:07 AM
Jump to solution

They are allowed with the matches operator, they are not allowed with the contains operator Smiley Happy change like I suggested and save on Event Forwarding and it will work -- I have a blog post on this planned for next week. Note you will NOT be able to test on IA given matches changes to contains -- if you want to test then after making it back to IA, change "contains" to "matches regex". I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

View solution in original post

0 Kudos
4 Replies
sflanders
Commander
Commander
‎11-09-2015 09:01 AM
Jump to solution

This issue is that the "matches" operator works differently from the "contains" operator. For matches it must match EXACTLY. Try adding *security*, *error*, etc and it should work. I will have a blog post on this soon.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
hullt
Enthusiast
Enthusiast
‎11-20-2015 10:28 AM
Jump to solution

no-go ('*' and '?' are not allowed as the first characters of a search term (text* and te*t are allowed, but *text is not) Plus it auto fills the words for me as i type due to what it can see in the events.

It doesn't mater what I chose, ALL forwarding immediately stops when any filter is applied.  Remove filter and it floods the syslog servers...

Looks like a bug to me, but I have a support call in and will see what they discover.

0 Kudos
sflanders
Commander
Commander
‎11-22-2015 05:07 AM
Jump to solution

They are allowed with the matches operator, they are not allowed with the contains operator Smiley Happy change like I suggested and save on Event Forwarding and it will work -- I have a blog post on this planned for next week. Note you will NOT be able to test on IA given matches changes to contains -- if you want to test then after making it back to IA, change "contains" to "matches regex". I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
hullt
Enthusiast
Enthusiast
‎11-23-2015 03:38 AM
Jump to solution

Ahhh, now I see why...  Thank you for the help, little bit of a puzzle, but once you see it, it comes together...

0 Kudos