Using complex severity breaks its usage

[TheFlyingCorpse]

in 0.3.8 and 0.3.9 RC5, using "complex" filters on severity does not appear to function as expected.

Ex:

file=application file=system debug=true MaxWarn=1 MaxCrit=1 "filter=written > -1d AND source IN('MSSQL\$SQLPRD01','MSSQL\\\$SQLPRD02','MSSQL\$SQLPRD03') AND NOT(severity like 'informational')" truncate=800 unique descriptions "syntax=%source% ID:%id% Count:%count% Message: %message%"
Parsing failed: AND NOT(severity like 'informational')

Does not return the error message that went through the filters yesterday. (Severity of it was ERROR and within the filters). If severity is removed from the argument, it will return everything that occured within the source. Using any way of writing severity as an argument, renders 0 as eventlogs, even with a known error in it.

Ex2:

file=application file=system debug=true MaxWarn=1 MaxCrit=1 "filter=written > -1d AND source IN('MSSQL\$SQLPRD01','MSSQL\\\$SQLPRD02','MSSQL\$SQLPRD03') AND (severity not like 'informational')" truncate=800 unique descriptions "syntax=%source% ID:%id% Count:%count% Message: %message%"

Ex3:

file=application file=system debug=true MaxWarn=1 MaxCrit=1 "filter=written > -1d AND (severity = 'error' OR severity = 'warning') AND source IN('MSSQL\$SQLPRD01','MSSQL\\\$SQLPRD02','MSSQL\$SQLPRD03')" truncate=800 unique descriptions "syntax=%source% ID:%id% Count:%count% Message: %message%"

According to the Wiki, this should work in an argument

severity = 'error' AND (severity = 'informational' OR severity = 'warning')

[TheFlyingCorpse]

The inconsistency in escaping out the $ in the examples above were because I didnt clean the example well enough.

[mickem]

You do not need to escape the $ at all...

BUT, nagios, the shell NRPE and what not might/will require it so from where are you running it?

Michael Medin

[TheFlyingCorpse]

I ran the test from command line against check_nrpe, it required only one escape. In configs, it requires three.

[mickem]

Works for me