Working with the Rule Editor

The Rule Editor is where you compose and test your notification rules. It has the following sections:

• Rule Text. This is the editor where you create your rules. While the rule is valid, you see a green check at the top of the section. When the rule is not valid, you see a red X. As you are typing, the upper-right corner of the section gives feedback on how the rule is interpreted or where it thinks there may be errors.

  Press Ctrl + H to see the auto-complete help window. Depending on context, the auto-complete will show what options or operators are valid. The operators are described in the table in the next section.

  You can't save the rule unless it is evaluated as being a valid rule.

• Sample data. Below the rule text is a series of fields where you can enter sample data. This helps you see the notification results, and helps you target your rule for specific conditions.

• Rule Analysis. For valid rules, it shows the order the logic is processed. This can be really helpful for complex notification rules, so you can ensure the rule text is evaluated the way you expect.

• Processing Result. Shows how the rule would process, based on the rule text and the sample data. If the rule and sample data combination would generate a notification, you see a green check. If the rule and sample data combination would not generate a notification, you see a red stop sign. This section then shows why it returned that result, helping you fine tune your notification rule.

• Event Browser. Shows all the defined system events. Click once on an event to see the sample data for that event. Double-click on an event to add that event's ID to the Rule Text.

  Use the Filter box to find specific events. The filter matches both the event category and the event name.

Notification rule editor operators

The notification rule language is human readable and writable. It supports bracketing, boolean operators, short-circuit decisions, and allows complex decisions to be expressed.

The following table shows all the operators that are supported. To see which variables can use which operators, see the next section.

Operator	Syntax1 String arguments should be entered with quotation marks.	Description
== (Equals)	a == b	Compares if a is equal to value b. Returns true if they are equal, otherwise returns false.
!= (Not Equals)	a != b	Compares if a is not equal to value b. Returns true if they are not equal, otherwise returns false.
IN	a in [0010, 0020,0030]	Checks if value a is present in the specified [group]. Returns true if it is, otherwise returns false. The group is a comma separated list inside square brackets.
IS	a IS EMPTY	Argument must be one of: Empty - Null or empty string DN - Value is DN Number - Value is a number Letters - Value is only letters Whitespace - Value is only whitespace
MATCHES2 Regular expressions are only supported using the MATCHES operator, and use .NET regular expression syntax. See Using regular expressions in a notification rule.	MATCHES "\\\\VED\\\\Policy\\\\.*"	Argument is a regular expression and variable must have a match to be TRUE.
LIKE	LIKE "rest" or LIKE "198.51.100.14/24"	For strings, acts as a "contains." For IP address: Argument is CIDR, and Source IP must be part of CIDR range.
<	a < b	Checks if value a is numerically less than value b. Returns true if it is, otherwise returns false.
>	a > b	Checks if value a is numerically greater than value b. Returns true if it is, otherwise returns false.
<=	a <= b	Checks if value a is numerically less than or equal to value b. Returns true if it is, otherwise returns false.
>=	a >= b	Checks if value a is numerically greater than or equal to value b. Returns true if it is, otherwise returns false.
&&	a && b	Logical AND. Returns true if both a and b are true. Otherwise, returns false.
||	a || b	Logical OR. Returns true if either a or b is true. Otherwise, returns false.
!	!a	Logical NOT. Inverts the value of a. Returns true if a is false, and false if a is true.

Notification rule variables and supported operators

The following table shows the supported variables, and what operations are allowed for each variable.

		Rules
Variable	Example	==   !=	<   <=   >   >=	LIKE	MATCHES	IS	IN
Component	\VED\Policy\Abc
Data3 Data is assumed to be encoded UTF-8 text and converted to UTF-8 before operators are applied.	Some Text
EventID	0x001f0003
Grouping	154
Severity	Info
SourceIP4 SourceIP supports both IPv4 and IPv6 addresses and CIDR notation.	192.168.3.4/24
Text1	Some Text
Text2	Other text
Value1	123
Value2	456