4.1.2 Defining a filter condition block

A filter condition block specifies filtering conditional statements for the NNMi incidents that are to be converted into JP1 events. The filtering conditional statements consist of conditional statements and exclusion conditions. Specification of a filter condition block is mandatory.

Organization of this subsection

(1) Format of a filter condition block
(2) Operators
(3) Operands
(4) Attributes of NNMi incidents
(5) Attribute values of NNMi incidents
(6) Examples of filter condition blocks

(1) Format of a filter condition block

Specify a filter condition block in the following format:

attribute-nameΔoperatorΔoperand-1Δoperand-2Δ...

Δ indicates one or more consecutive spaces or tabs.

attribute-name

Specifies an attribute name of NNMi incidents.
operator

Specifies a condition for filtering the NNMi incidents.
operand

Specifies a value for filtering the NNMi incidents.

When the attribute value corresponding to the attribute name is compared with the value specified in the operand in a case sensitive manner, if the operator condition is satisfied, the filter condition is established.

For example, if you want to convert into JP1 events those NNMi incidents whose name (NAME) is SNMPLinkDown, specify the following filtering conditional statement:

NAME IN SNMPLinkDown

Details about the attribute names, operators, and operands are provided in the following subsections.

To Page Top

(2) Operators

The following table lists and describes the operators that can be specified in filtering conditional statements.

Table 4‒2: Operators permitted in filtering conditional statements
Operator	Permitted number of operands	Condition
`IN`	One or more	The attribute's value matches the character string, integer, or date specified in an operand.
`NOTIN`	One or more	The attribute's value does not match the character string, integer, or date specified in any operand.
`SUBSTR`	One or more	The attribute's value contains a character string specified in an operand.
`NOTSUBSTR`	One or more	The attribute's value does not contain any of the character strings specified in an operand.
`BEGIN`	One or more	The attribute's value begins with one of the character strings specified in an operand.
`REGEX` ^#	One or more	The attribute's value matches one of the regular expressions specified in an operand. For details about the supported regular expressions, see E. Regular Expressions.
`RANGE`	Two	The attribute's value satisfies the condition: `operand-1` ≤`attribute-value`≤`operand-2`.

#: A regex that compares keywords can be used in filter conditional statements. Such expressions find perfect matches. As a result, when comparing prefixes, use a regular expression that allows the prefixes to be compared by, for example, adding a period followed by an asterisk (.*) after the regular expression.

To Page Top

(3) Operands

Specify in the operands the values to be used to filter the NNMi incidents; an operand value can be a character string, integer, or date.

This subsection explains special formats.

(a) When specifying two-digit hexadecimal numbers

An operand cannot contain a space, tab, CR, LF, or percent sign. However, except when the operator is REGEX, you can represent each of these items with a two-digit hexadecimal number in the format %ASCII-code, as shown below:

Space: %20
Tab: %09
CR: %0d
LF: %0a
%: %25

Characters other than the above can also be expressed in the format %ASCII-code (2-digit hexadecimal number).

(b) When the data type of an attribute value is a date

If the data type of an attribute value is a date, specify the operand in the format shown in the table below.

Table 4‒3: Operand format (for date type)
Operator	Format	Description
`IN` `NOTIN`	`yyyyMMddHHmmssSSS`	Specify a value in the range from `20000101000000000` to `20991231235959999` according to the locale of the OS.
`RANGE`	`yyyyMMddHHmmssSSS` `yyyyMMddHHmmss` `yyyyMMddHHmm` `yyyyMMddHH` `yyyyMMdd`	Specify a value in the range from `20000101000000000` to `20991231235959999` according to the locale of the OS.

Legend:

yyyy: Year (specify a value from 2000 to 2099)

MM: Month (specify a value from 01 to 12)

dd: Date (specify a value from 01 to 31)

HH: Hour (specify a value from 00 to 23)

mm: Minute (specify a value from 00 to 59)

ss: Second (specify a value from 00 to 59)

SSS: Millisecond (specify a value from 000 to 999)

If the operator is RANGE, the values following yyyyMMdd (year-month-date) can be omitted. If they are omitted, the values shown in the following table are set:

Operand	Hour (HH)	Minute (mm)	Second (ss)	Millisecond (SSS)
Operand 1	`00`	`00`	`00`	`000`
Operand 2	`23`	`59`	`59`	`999`

To Page Top

(4) Attributes of NNMi incidents

The table below lists the attributes of NNMi incidents and the operators that can be used in conjunction with those attributes. For details about the attributes, see the documentation for each NNMi product.

Table 4‒4: Attributes of NNMi incidents and the operators that can be used
Attribute	Attribute name	Data type	Operator
Attribute	Attribute name	Data type	IN NOTIN	SUBSTR NOTSUBSTR BEGIN REGEX	RANGE
Source	`SRC_NAME`	Character string	Y	Y	N
Source Type	`SRC_TYPE`	Character string	Y	Y	N
Source Node	`SRC_NODE_NAME`^#1	Character string	Y	Y	N
Source Node (correlation conversion)	`SRC`^#1	Character string	Y	N	N
Name	`NAME`	Character string	Y	Y	N
Severity	`SEVERITY_UK`^#2	Character string	Y	N	Y^#3
Priority	`PRIORITY_UK`^#2	Character string	Y	N	Y^#3
Lifecycle State	`LIFECYCLE_STATE_UK`^#2	Character string	Y	Y	N
Assigned To	`ASSIGNED_TO`	Character string	Y	Y	N
Category	`CATEGORY_UK`^#2	Character string	Y	Y	N
Family	`FAMILY_UK`^#2	Character string	Y	Y	N
Origin	`ORIGIN_UK`^#2	Character string	Y	Y	N
Correlation Nature	`NATURE_UK`^#2	Character string	Y	Y	N
Duplicate Count	`DUPLICATE_COUNT`	Integer	Y	N	Y
Message	`FORMATTED_MESSAGE`	Character string	Y	Y	N
Notes	`NOTES`	Character string	Y	Y	N
RCA Active	`RCA_ACTIVE`	Character string	Y	N	N
Origin Occurrence Time	`ORIGIN_OCCUR_TIME`	Date	Y	N	Y
First Occurrence Time	`FIRST_OCCUR_TIME`	Date	Y	N	Y
Last Occurrence Time	`LAST_OCCUR_TIME`	Date	Y	N	Y
Created	`CREATED`	Date	Y	N	Y
Last Update Time	`MODIFIED`	Date	Y	N	Y
Number of Custom Attributes	`CIANUM`	Integer	Y	N	Y
Custom Attribute Name	`CIANAME_$n`^#4	Character string	Y	Y	N
Custom Attribute Type	`CIATYPE_$n`^#4	Character string	Y	Y	N
Custom Attribute Value	`CIAVALUE_$n`^#4	Character string	Y	Y	N

Legend:

Y: Can be used

N: Cannot be used

#1

When SRC is used in a conditional statement, correlation conversion is performed on the host name or IP address specified in the operand as required, and then the result is compared with the attribute value.

When SRC_NODE_NAME is used in a conditional statement, the host name or IP address specified in the operand is compared as is with the attribute value, without performing correlation conversion.

#2

The attribute value is predefined. For details about the attribute value, see (5) Attribute values of NNMi incidents.

#3

For the value range of Severity and Priority, see SEVERITY_UK and PRIORITY_UK in Table 4-5 Attribute names, attribute values, and labels of NNMi incidents in (5) Attribute values of NNMi incidents. The attribute values of SEVERITY_UK and PRIORITY_UK are listed in ascending order.

#4

$n indicates the index of a custom attribute. It will be replaced with a number in the range from 1 to the number of custom attributes (CIANUM).

Example: In the case of the fourth custom attribute value, define as CIAVALUE_4.

To Page Top

(5) Attribute values of NNMi incidents

Some of the attributes of NNMi incidents have predefined attribute values (Unique Key). The following table lists the attribute names, attribute values, and display names (labels) in the NNMi windows of the attributes whose attribute values are predefined.

Table 4‒5: Attribute names, attribute values, and labels of NNMi incidents
Attribute name	Attribute value (Unique Key)	Label
`SEVERITY_UK`	`NORMAL`	`Normal`
	`WARNING`	`Warning`
	`MINOR`	`Minor`
	`MAJOR`	`Major`
	`CRITICAL`	`Critical`
`PRIORITY_UK`	`com.hp.nms.incident.priority.None`	`None`
	`com.hp.nms.incident.priority.Low`	`Low`
	`com.hp.nms.incident.priority.Medium`	`Medium`
	`com.hp.nms.incident.priority.High`	`High`
	`com.hp.nms.incident.priority.Top`	`Top`
`LIFECYCLE_STATE_UK`	`com.hp.nms.incident.lifecycle.Registered`	`Registered`
	`com.hp.nms.incident.lifecycle.InProgress`	`InProgress`
	`com.hp.nms.incident.lifecycle.Completed`	`Completed`
	`com.hp.nms.incident.lifecycle.Closed`	`Closed`
`CATEGORY_UK`^#	`com.hp.nms.incident.category.Accounting`	`Accounting`
	`com.hp.nms.incident.category.Alert`	`Alert`
	`com.hp.nms.incident.category.Status`	`Status`
	`com.hp.nms.incident.category.Security`	`Security`
	`com.hp.nms.incident.category.Performance`	`Performance`
	`com.hp.nms.incident.category.Fault`	`Fault`
	`com.hp.nms.incident.category.Config`	`Config`
	`jp.co.Hitachi.soft.jp1.sso.incident.category.Resource`	`Resource`
	`jp.co.Hitachi.soft.jp1.sso.incident.category.Proccess`	`Proccess`
	`jp.co.Hitachi.soft.jp1.sso.incident.category.Service`	`Service`
	`jp.co.Hitachi.soft.jp1.sso.incident.category.Application`	`Application`
`FAMILY_UK`^#	`com.hp.nms.incident.family.BGP`	`BGP`
	`com.hp.nms.incident.family.HSRP`	`HSRP`
	`com.hp.nms.incident.family.OSPF`	`OSPF`
	`com.hp.nms.incident.family.RAMS`	`RAMS`
	`com.hp.nms.incident.family.RMON`	`RMON`
	`com.hp.nms.incident.family.RRP`	`RRP`
	`com.hp.nms.incident.family.STP`	`STP`
	`com.hp.nms.incident.family.Syslog`	`Syslog`
	`com.hp.nms.incident.family.VLAN`	`VLAN`
	`com.hp.nms.incident.family.VRRP`	`VRRP`
	`com.hp.nms.incident.family.Address`	`Address`
	`com.hp.nms.incident.family.Interface`	`Interface`
	`com.hp.nms.incident.family.ComponentHealth`	`Component Health`
	`com.hp.nms.incident.family.Chassis`	`Chassis`
	`com.hp.nms.incident.family.trap.Analysis`	`Trap Analysis`
	`com.hp.nms.incident.family.Node`	`Node`
	`com.hp.nms.incident.family.Board`	`Board`
	`com.hp.nms.incident.family.License`	`License`
	`com.hp.nms.incident.family.AggregatePort`	`Aggregate port`
	`com.hp.nms.incident.family.Connection`	`Connection`
	`com.hp.nms.incident.family.Correlation`	`Correlation`
	`jp.co.Hitachi.soft.jp1.sso.incident.family.SSO`	`SSO`
	`jp.co.Hitachi.soft.jp1.sso.incident.family.APM`	`APM`
`ORIGIN_UK`	`MANAGEMENTSOFTWARE`	`Management software`
	`MANUALLYCREATED`	`Manually created`
	`REMOTELYGENERATED`	`Remotely generated`
	`SNMPTRAP`	`SNMP trap`
	`SYSLOG`	`System log`
	`OTHER`	`Other`
`NATURE_UK`	`ROOTCAUSE`	`Root Cause`
	`SECONDARYROOTCAUSE`	`Secondary root cause`
	`SYMPTOM`	`Symptom`
	`STREAMCORRELATION`	`Stream Correlation`
	`NONE`	`None`

#: If Category and Family have not only the NNMi-provided attribute values but also user-defined attribute values, you must create a mapping definition file. For details, see 4.2 Creating a mapping definition file.

To Page Top

(6) Examples of filter condition blocks

This subsection presents examples of filter condition blocks.

This example selects those NNMi incidents whose source node is host1 (IP address is 10.0.0.1):

SRC_NODE_NAME IN host1 10.0.0.1

SRC IN host1

SRC IN 10.0.0.1

This example selects those NNMi incidents whose message begins with Hello, world, where %20 between , and w indicates a space:

FORMATTED_MESSAGE BEGIN Hello,%20world

This example selects those NNMi incidents whose source node is not host2 (IP address is 10.0.0.2) and whose name begins with SNMP:

SRC NOTIN host2

NAME BEGIN SNMP

This example selects those NNMi incidents that have TASK_NAME as the name of the second custom attribute and Inventory_Management as its value:

CIANAME_2 IN TASK_NAME

CIAVALUE_2 IN Inventory_Management

This example selects those NNMi incidents that occurred on or after January 1, 2010:

ORIGIN_OCCUR_TIME RANGE 20100101 20991231

This example selects the following NNMi incidents:

NNMi incidents whose severity falls in the range from MINOR to CRITICAL and whose Priority is Low
NNMi incidents whose priority is Low and whose NAME contains Interface

SEVERITY_UK RANGE MINOR CRITICAL

PRIORITY_UK NOTIN com.hp.nms.incident.priority.Low

OR

PRIORITY_UK IN com.hp.nms.incident.priority.Low

NAME SUBSTR Interface

This example selects those NNMi incidents whose category is Fault or Security or whose severity is CRITICAL, but excludes those NNMi incidents whose source node name is host3 (IP address is 10.0.0.3):

CATEGORY_UK IN com.hp.nms.incident.category.Fault com.hp.nms.incident.category.Security

OR

SEVERITY_UK IN CRITICAL

EXCLUDE

SRC IN host3

To Page Top