evmfilter.5 (2010 09)
e
EvmFilter(5) EvmFilter(5)
Operator Alternate Meaning
= eq Equal
> gt Greater Than
< lt Less Than
>= ge Greater Than or Equal
<= le Less Than or Equal
!= ne Not Equal
An age-specifier comprises an integer value followed immediately by one of the letters
w (weeks),
d (days), h (hours), m (minutes) or s
(seconds). An age-specifier produces an absolute time value rela-
tive to the present time, and is most likely to be useful in retrieving historical events through evmget or
the event viewer. It is not meaningful to use an age-specifier when setting a filter for use by the EVM
logger or evmwatch.
If a period of weeks is specified, the period is converted to days by multiplying it by 7. When calculating
an absolute time for an age specified in weeks or days, the first day is always regarded as the period from
the previous midnight until the present time, and earlier days are counted from midnight to midnight.
For example, if an age-specifier of
1d is given, events are selected relative to 12:00 a.m. on the same day.
A value of
2d would select events relative to 12:00 a.m. the previous day. A value of
0d is valid, and is
equivalent to
1d. See the following examples for more information.
If a period of hours, minutes or seconds is specified, an absolute time is calculated by subtracting the age
from the current time, without regard to day boundaries. For example, if an age-specifier of
24h is given
at
15:23:14, events are selected relative to 15:23:14 on the previous day.
A time-range-specifier consists of seven colon-separated fields in the following format:
year:month-of-year:day-of-month:day-of-week:hours:minutes:seconds
Any component in the time range may be replaced by an asterisk (*) character as a wildcard, meaning
that any value in this component will match the filter. You can specify multiple discrete values for a com-
ponent by separating them with a comma. You can specify a range by using a hyphen to separate the
starting and ending values for the range. An absolute-time-specifier is very similar to the time-range-
specifier . It has only six components, and does not allow the use of wild cards. It has the following for-
mat:
year:month-of-year:day-of-month:hours:minutes:seconds
In both forms of time specification, the range of values for each component is shown in the following table.
Specifier Range
year 1970 to 2030
month-of-year 1to12
day-of-month 1to31
day-of-week 0 (Sun) to 6
hours 0to23
minutes 0to59
seconds 0to59
Any expression may be inverted (logically negated) by the use of the NOT operator, the exclamation mark
(!) or the keyword NOT.
A complex filter is composed of two or more simple filters, combined using the AND (
& or keyword AND)
and OR (| or keyword OR) logical operators. Component filter expressions may be grouped in
parentheses (( and )) to set the precedence of test operations. The order of precedence of logical and
grouping operators (highest to lowest) is:
()!&|
Event filters can be direct or indirect. A direct filter is a text string appearing at the point of filter
specification. An indirect filter is contained in a file, and is referred to using the following syntax:
@filename:filtername
See evmfilterfile (4) for more information about using indirect filters.
If an event being evaluated does not contain the item being compared in a filter expression, the expres-
sion always yields no match. For example, if the timestamp item is missing from the event and you
include the before keyword in a filter string, that part of the filter will return no match.
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010