Global variables
These values that are all preceded with a $ character are set by the system each time a message is received (or a trigger is set, in the case of trigger global variables). Global variables are frequently used with the comparison operators (previously listed) to perform advanced correlation of messages.
$N | A number, preceded with a $ character, when found in a correlation expression, is immediately replaced by the word in the current message of the corresponding position. For instance, the expression ($3 eq test) evaluates as true if the third word in the message is the specific word test. This allows you to test for a value of a particular keyword based upon the position of the word expected in the message. If the value of N is higher than the number of words, no substitution of the $N value takes place. |
$address | The word $address, when found in a correlation expression, is immediately replaced by the IP address of the device that sent the message. For instance, if you include $address as a keyword in the expression, the IP address of the device that sent the message must appear somewhere in the message. More commonly, this value is used in a comparison function such as (10.1.2.2 eq $address), that matches only if the device that sent the message has an address of 10.1.2.2. This provides an alternative to specifying an address in the Match Address specification of thread and action screens. |
$username | The word $username, when found in a correlation expression, is immediately replaced by the username contained in the message (if any) or the string is null, if the message did not contain a username. This value can be used in a comparison function such as ($username eq jsmith), that matches only if the keyword jsmith is in the message, and jsmith is also a username defined in the Messages > Users screen. |
$userdata | The word $userdata, when found in a correlation expression, is immediately replaced by the user group information residing in the ./config/userdata.cnf file corresponding to the specified username. The username for the message (if any) is used to index the user data. This permits correlation on user information that is external to the message, such as your full name, location, e-mail address, or any other data in this configuration file. For instance, the value can be used in a comparison function such as (New York in $userdata), that matches if the username, specified in a message, has New York as part of the $userdata record. |
$devname | The word $devname, when found in a correlation expression, is immediately replaced by the device name associated with the IP address (if any). The device name is the value configured in the Device Information screen by the operator, that might or might not be the official DNS name for the IP address. For instance, the value $devname eq localhost matches only if the IP address of the device that sent the message has a name localhost defined in the Device Information screen. |
$devdata | The word $devdata, when found in a correlation expression, is immediately replaced by the device group information residing in the ./config/devdata.cnf file, corresponding to the specified address. The address of the message is used to index the device data. This permits correlation on device information that is external to the message, such as the purpose of the device, its location, its asset information, or other information. For instance, the value can be used in a comparison function such as (Solaris in $devdata), that matches if the IP address, specified in a message, has Solaris as part of the $devdata record. |
$facility | The word $facility, when found in a correlation expression, is immediately replaced by the facility of the current message. This can be either the official facility name, such as kernel, user, network, or can be a user-defined facility. (User defined facilities are configured under the Messages navigation tab of the system.) This global variable provides an alternative to specifying a facility in the Match Facility specification of thread and action screens and additionally permits a range of facilities to be specified as part of a match pattern. |
$severity | The word $severity, when found in a correlation expression, is replaced by the severity name of the current message. This will be the official severity name, ranging from debug to emergency. This global variable provides an alternative to specifying a severity in the Match Severity specification of thread and action screens. This value, while useful, is generally not as powerful as the $sevnum global variable, that is the corresponding numeric value of the severity, and that permits the lt, le, gt, and ge numeric comparisons to be made on a severity value. |
$facnum | The word $facnum, when found in a correlation expression, is replaced by the facility number of the current message. This will be the numeric value of the message facility, ranging from 0=Kernel to 24=Other. (User defined facilities, that by their nature, have no numeric value, are assigned a number of 24, following the last official facility number of 23=Local7). This value permits the lt, le, gt, and ge numeric comparisons to be made on a facility value. |
$sevnum | The word $sevnum, when found in a correlation expression, is replaced by the severity number of the current message. This will be the numeric value of the message severity, ranging from 0=emergency to 7=debug. This value permits the lt, le, gt, and ge numeric comparisons to be made on the received message severity value. For instance, this permits an expression such as ($sevnum ge 3) and ($sevnum le 6) that matches any message with severities of info, notice, warning and error. |
$date | The word $date, when found in a correlation expression, is replaced by the current date, in YYYY/MM/DD format. This might be useful when configuring correlation patterns specific for particular days and months, especially when used with the in and not in comparison operators. For instance, the expression ((/??/01) not in $date) matches a message only if it is not the first day of the month. |
$wday | The word $wday, when found in a correlation expression, is replaced by the current three-letter weekday abbreviation, either mon, tue, wed, thu, fri, sat, or sun. This might be useful when configuring correlation patterns specific for particular days of the week. For instance, the expression ($wday ne tue) matches a message only if it is not received on a Tuesday. |
$time | The word $time, when found in a correlation expression, is replaced by the current time, in HH:MM:SS 24-hour format. This might be useful when configuring correlation patterns that match specific times, extending the Match Time specification of thread and action screens. This global variable is typically used with a lexical compare function, such as llt or lgt. For instance, the expression ($time lgt 23:00:00) and ($time llt 23:30:00) matches a message only if it is received after 11:00 PM before 11:30 PM. |
$(triggername) | A global variable corresponding to a trigger name, when found in any correlation expression, is replaced with the current state of the trigger, either the keyword set or the keyword clear. For instance, if a trigger exists with the name MyLatch, then the comparison ($mylatch eq set) evaluates to true if the trigger gets set. |
$(triggername).N | A global variable corresponding to a trigger name, followed by a number (N) gets replaced by the Nth word in the message that set the particular trigger. For instance, to test to see if the third word of the message that triggered the MyLatch trigger contains the keyword login, you can specify the comparison (login in $mylatch.3) |
$(triggername).address | A global variable corresponding to a trigger name appended with . address, when found in a correlation expression, is immediately replaced by the IP address of the device that set the trigger. For instance, to see if the device that set the MyLatch trigger has the same IP address as the current message, you can specify the comparison ($mylatch.address eq $address). |
$(triggername).facility | A global variable corresponding to a trigger name, appended with .facility, when found in a correlation expression, is immediately replaced by the facility of the message that set the trigger. For instance, to see if the facility of the message that triggered MyLatch was equal to internal, you can specify the comparison ($mylatch.facility eq internal). |
$(triggername).severity | A global variable corresponding to a trigger name, appended with .severity, when found in a correlation expression, is immediately replaced by the severity of the message that set the trigger. For instance, to see if the severity of the message that triggered MyLatch was not equal to debug, you can specify the comparison ($mylatch.severity ne debug). |
$(triggername).facnum | A global variable corresponding to a trigger name, appended with .facnum, when found in a correlation expression, is immediately replaced by the facility number of the message that set the trigger. This is the numeric value of the trigger message facility, ranging from 0=Kernel to 24=Other. For instance, to see if the severity of the message that triggered MyLatch was a localN facility, you can specify the comparison ($mylatch.facnum ge 16). |
$(triggername).sevnum | A global variable corresponding to a trigger name, appended with .sevnum, when found in a correlation expression, is immediately replaced by the severity number of the message that set the trigger. For instance, to see if the severity of the message that triggered MyLatch was greater than info, you can specify the comparison ($mylatch.sevnum lt 6). |
$(triggername).date | A global variable corresponding to a trigger name, appended with .date, when found in a correlation expression, is immediately replaced by the date of the message that set the trigger, in YYYY/MM/DD format. For instance, to see if the date of the message that triggered MyLatch had the same date as the date of the current message, you can specify the comparison ($mylatch.date eq $date). |
$(triggername).wday | A global variable corresponding to a trigger name, appended with .wday, when found in a correlation expression, is immediately replaced by the weekday abbreviation of the message that set the trigger, either mon, tue, wed, thu, fri, sat, or sun, for instance, you can specify the comparison ($mylatch.wday eq $wday). |
$(triggername).time | A global variable corresponding to a trigger name, appended with .time, when found in a correlation expression, is immediately replaced by the time abbreviation of the message that set the trigger, in 24-hour format ranging from 00:00:00 to 23:59:00. For instance, you can specify the comparison (12:00:?? in $mylatch.time). |
Related topic