Nagios Support Forum

Hello!
I am trying to filter out some specific messages from a dashboard, but fail to success.
How can I see all messages with "Not permitted by policy" but exclude "@domain.com" ?

Message is (somewhat like):
<132>1 2020-03-20T11:20:56.000+01:00 node2 [meta sequenceId="38345"] 2020-03-20T11:20:56.895+01:00 node2: Event="Registration Rejected" Reason="Not permitted by policy" Dst-alias="[email protected]" Protocol="UDP" Level="1" UTCTime="2020-03-20 10:20:56,895"

Query is:
"Not permitted by policy"

Filtering is (besides a time range):
field: mustNot
field: message
query: @domain.com

I think if you change the query in the filter from @domain.com to just domain.com it should work

The message field is "analyzed and will break this apart which is likely causing the problem

Nope. This also doesn't work. Is there a better reference I should look at than the Nagios Log Server documentation?

Sorry, but without @ it also does not work.

Is the actual message field in Nagios Log Server like the following or is it broken up into separate fields?

It indeed is one line.
The following query does work!

"Not permitted by policy" -domain.com*

This is just trial and error. Is there any documentation about how this query and filtering works?

I'm glad you found a solution.

connected wrote:Is there any documentation about how this query and filtering works?

It can get quite tricky if you are not breaking the messages apart with a grok filter to just look at the individual pieces because the message field is always going to be analyzed and searching is going to look at the determined individual pieces

Here is some information on lucene queries
https://lucene.apache.org/core/2_9_4/qu ... yntax.html