KBI 220221 AND And OR Logic In Argent Rules

Version

XT 7.0A and later

Date

21 May 2004

Summary

Many of Argent Rules use OR keywords.

Technical Background

In all these cases, the OR button is provided on the right-top corner to allow entering the keyword OR.

The logic of the condition is:

  • AND logic is assumed between items not separated by keyword OR.
  • Any group separated by keyword OR is true, the condition is true.
  • If there are multiple condition lists, AND logic is assumed for the lists. In other words, the rule is true if only if all the condition lists must be true.
  • Empty condition list is assumed to be true.

Example One

Performance Rule ‘PRF_SERVER_REALLY_BUSY’ has the following lines in the list:

% Processor Time of Processor (0) GREATER THAN 80.00

Pages/sec of Memory GREATER THAN 100.00

The rule is true if only if CPU usage is greater than 80% and Pages/sec greater than 100.

Both conditions must be true in order that the rule is broken.

Example Two

Performance rule ‘PRF_SERVER_SOMEWHAT_BUSY’ has the following lines in the list:

% Processor Time of Processor (0) GREATER THAN 80.00

OR

Pages/sec of Memory GREATER THAN 100.00

The rule is true if only if CPU usage is greater than 80% OR Pages/sec is greater than 100.

The rule is broken if either of these conditions is true.

Example Three

Performance rule ‘PRF_SERVER_BAD_SHAPE’ has the following lines in the list:

% Processor Time of Processor (0) GREATER THAN 80.00

Pages/sec of Memory GREATER THAN 100.00

OR

% Free Space of LogicalDisk (Any Instance) LESS THAN 30.00

The rule is true if only if CPU usage is greater than 80% and Pages/sec is greater than 100 or some disk has free disk less than 30%. So, if the machine has some free disk less than 30%, rule is broken. Or, if the machine has CPU usage greater than 80% and

Pages/sec greater than 100, the rule is broken.

Example Four

Event Log Rule ‘EVT_EVENT_1000’ has the following conditions:

(Event ID Filter) Include Events With ID Equal 1000

(Event String Filter) Empty

(Event Time Filter) Empty

The rule is true if and only if the event id is 1000. The event string filter and time filter are empty, so they are assumed to be true.

Example Five

Event Log Rule ‘EVT_EVENT_1000_ROUTER’ has the following conditions:

(Event ID Filter) Include Events With ID Equal 1000

(Event String Filter) Include Events Contains String “Router” From Event Fields: Text

(Event Time Filter) Empty

The rule is true if and only if the event ID is 1000 and the event detail contains the string ‘router’. The event time filter is empty, so that is assumed to be true.

Example Six

Event Log Rule ‘EVT_EVENT_1000_ROUTER_10PM’ has the following conditions:

(Event ID Filter) Include Events With ID Equal 1000

(Event String Filter) Include Events Contains String “Router” From Event Fields: Text

(Event Time Filter) Include Events Occurring After 22:00 And Before 23:00

The rule is true if and only if the event ID is 1000 and event detail contains the string ‘router’ and event must happen between 10 p.m. and 11 p.m. each day.

Resolution

N/A.