Rules for basic correlation expressions
Following are the rules for basic correlation expressions:
Case Insensitivity | Correlation expression matches are always case-insensitive, without exception. |
Simple Keyword Matches | Correlation expressions can consist of simple keywords that match any portion of the message. Such as su matches success or super user. |
Phrase Matches | If the correlation expression contains spaces, it must be quoted. For instance, super user matches super user and super users. |
Full Word Matches | To match a full word instead of a partial match, precede and follow the match expression by a single space. Such as su matches the su user logged in, su login, and login by su. In the expression, the leading space matches a space or the beginning of the line; the trailing space matches a space or the end of the line. |
Wildcards | A keyword can contain an (*) asterisk wildcard to match zero or more characters, and a (?) wildcard to match a single character. For instance, test*fail matches the test failed and the test did not fail and also testfail. Likewise, test?pass matches test passed, or test-pass, but not testpass. |
Logical Operators | To join expressions into a larger expression, use the AND, XOR, OR, and NOT logical operators. For instance, test and not fail matches any message that contains the keyword test and not the keyword fail, anywhere in the line. |
Default Logical And | If an expression is composed of several sub-expressions without a logical operator, they are joined by an implied and, and each expression must match the message. |
Parenthetical Nesting | You can specify the precedence of evaluation using parentheses that can be deeply nested. Such as (test and file) or (system and user) matches any message containing both test and file, or any message containing system and user. |
Related topic