$expr (match-expr) function

This function returns the full matched message only if the match expression argument is matched; otherwise, it returns a zero-length string. The function is useful on the Messages > Config > Overrides tab for matching expressions more complicated than space-delimited keywords.

For example, $expr ($5 eq error) matches a message only if the fifth word of the message is the keyword error. Otherwise, this function has limited application.

In the Overrides tabs, single or double quotation marks are not valid in the expression. The match expression argument must not be in quotation marks and must be delineated by opening and closing parentheses. For example, you cannot specify 'test: *'; you must use (test: *) instead.

The following examples show target strings, parse expressions, and return values:

Target string

Parse expression

Return value

User logged into location dev001 system.

$expr ($5 eq dev001)

User logged into location dev001 system.

There have been 100 alerts raised.

$expr ($4 ge 100)

There have been 100 alerts raised.

Related topic

Parse-expressions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*