We have a lot of automated tests from Nagios poking at our servers which trigger a lot of log messages that I really don't care to see. In this case, it would be really nice to be able to filter on log message that exclude a certain pattern, such as 'show me all log entries that don't contain my.nagios.host.name'.
I see that this is on the TODO list, but I figured I'd post the short hack that I made against 3.0beta10 to allow this type of negative search. This patch adds a "Exclude message text from results" checkbox on the main search page.
Apologies for posting the patch inline. The 'post' button on the forum doesn't seem to do anything if a file is attached.
--Wart
--- html/includes/portlets/portlet-sphinxquery.php.orig 2010-03-02 21:42:34.867099445 -0800
+++ html/includes/portlets/portlet-sphinxquery.php 2010-03-02 21:44:46.310978133 -0800
@@ -22,4 +22,6 @@
?>
<B>Message Text</B>
<input type="text" name="msg_mask" id="msg_mask" size=40>
-
+<BR>
+<input type="checkbox" name="msg_mask_negate" id="msg_mask_negate">
+<B>Exclude message text from results</B>
--- html/includes/portlets/portlet-table.php.orig 2010-03-02 21:40:45.053723931 -0800
+++ html/includes/portlets/portlet-table.php 2010-03-02 21:47:33.357205453 -0800
@@ -83,9 +83,15 @@
}
// portlet-sphinxquery
+$msg_mask_negate = get_input('msg_mask_negate');
$msg_mask = get_input('msg_mask');
if ($msg_mask) {
- $where.= " AND msg RLIKE '$msg_mask'";
+ if ($msg_mask_negate) {
+ $where.= " AND msg NOT RLIKE '$msg_mask'";
+ } else {
+ $where.= " AND msg RLIKE '$msg_mask'";
+ }
+ $qstring .= "&msg_mask_negate=$msg_mask_negate";
$qstring .= "&msg_mask=$msg_mask";
}
