Message Matcher Syntax
Message matching is done by the hekad router to choose an appropriate
filter(s) to run. Every filter that matches will get a copy of the
message.
Examples
- Type == “test” && Severity == 6
- (Severity == 7 || Payload == “Test Payload”) && Type == “test”
- Fields[foo] != “bar”
- Fields[foo][1][0] == ‘alternate’
- Fields[MyBool] == TRUE
- TRUE
- Fields[created] =~ /%TIMESTAMP%/
Relational Operators
- == equals
- != not equals
- > greater than
- >= greater than equals
- < less than
- <= less than equals
- =~ regular expression match
- !~ regular expression negated match
Logical Operators
- Parentheses are used for grouping expressions
- && and (higher precedence)
- || or
Quoted String
- single or double quoted strings are allowed
- must be placed on the right side of a relational comparison i.e. Type == ‘test’
Regular Expression String
- enclosed by forward slashes
- must be placed on the right side of the relational comparison i.e. Type =~ /test/
- capture groups will be ignored
Regular Expression Helpers
Commonly used complex regular expressions are provide as template
variables in the form of %TEMPLATE%.
i.e., Fields[created] =~ /%TIMESTAMP%/
Available templates
- TIMESTAMP - matches most common date/time string formats