An event selector defines a set of events.
An event selector is a regular expression that defines a set of events based on their property data (attributes or sub-elements). For example, an event selector might specify all events from a particular host whose severity is greater than 30 (warning). Event selectors are used to define event groups, specify filter criteria, and query the event server.
Because the Common Base Event specification is based on XML, event selectors are written using a subset of XPath syntax. The specific syntax you can use for an event selector depends on how the event selector is to be used, as summarized by the following table.
Event selector purpose | Syntax |
---|---|
Event group definition | Limited to XPath subset supported by default data store plug-in |
Event query and purge through event access interface | Limited to XPath subset supported by default data store plug-in |
Emitter filter configuration | Any valid XPath |
Subscription through Notification Helper interface | Any valid XPath |
XPath is a standard language used to identify parts of an XML document; for more information, see the XPath specification at http://www.w3.org/TR/xpath.
CommonBaseEvent[@attribute = value]The value can be either a numeric value or a string enclosed in single or double quotation marks.
CommonBaseEvent[/subelement/@attribute = value]
When using XPath operators, keep the following general rules in mind:
The following examples are valid XPath event selectors.
XPath event selectors | Selector definition |
---|---|
CommonBaseEvent[@extensionName = 'ApplicationStarted'] | All events with the extensionName attribute ApplicationStarted |
CommonBaseEvent[sourceComponentId/ @location = "server1"] | All events containing a sourceComponentId element with the location attribute server1 |
CommonBaseEvent[@severity] | All events with a severity attribute, regardless of its value |
CommonBaseEvent[@creationTime < '2003-12-10T12:00:00-05:00' and @severity > 30] | All events created before noon EST on 10 December 2003 and with severity greater than 30 (warning): |
CommonBaseEvent[contains(@msg, 'disk full')] | All events with the phrase disk full occurring within the msg attribute |
CommonBaseEvent[(@severity = 30 or @severity = 50) and @priority = 100] | All events whose severity atrribute is equal to 30 or 50, and whose priority is equal to 100. |
CommonBaseEvent[30 < @priority and contains('this message', @msg)]Instead, this could be rewritten as follows:
CommonBaseEvent[@priority > 30 and contains(@msg, 'this message')]
CommonBaseEvent[predicate_expression]Only a single predicate expression can be associated with the CommonBaseEvent element. Stacked predicates are not supported (for example, CommonBaseEvent[@extensionName = "server_down"][@severity = 10]).
CommonBaseEvent[contextDataElement[@contextValue = "myContextValue"] /@contextId = "myContextId"]Instead, this could be rewritten as follows:
CommonBaseEvent[contextDataElement[@contextValue = "myContextValue" and @contextId = "myContextId"]]
CommonBaseEvent[extendedDataElements[@type = 'int' and children/@type = 'intArray' and children/@name = 'myName' and @value = 10]]Instead, this could be rewritten as follows, grouping the top-level and second-level attributes together:
CommonBaseEvent[extendedDataElements[@type = 'int' and @value = 10 and children/@type = 'intArray' and children/@type = 'myName']]
CommonBaseEvent[extendedDataElements[values = "myVal" and @type = "string"]]
CommonBaseEvent[extendedDataElements[(values = "myVal" or values = "yourVal") and @type = "string"]]In this example, the type expression applies to both parts of the compound expression in parentheses. You cannot override this by specifying a different type expression inside the parentheses.
CommonBaseEvent[extendedDataElements[values = "myVal" and starts-with(@type, 'string')]]