Using Expressions and Wildcards to create groups, author rules and monitors, create console views and notification subscriptions, and in the Command Shell

We posted a great document on OpsManJam a couple years ago entitled “Regular Expression Support in SCOM 2007”.  I believe this document was originally authored by our very own Dan Rogers.  I have referenced this document more times than I can recall over the past couple years, because I’m terrible at remembering finer details like regular expression syntax.

Regular expression is not standardized, and SCOM uses slightly different implementations for different modules.  So it can get a little frustrating without knowing what is legal.

I thought the information in this document needed a refreshed exposure, and I wanted to present it in HTML format for easy access.  I only changed up the format to something a little more practical in terms of where and when to use which syntax.

 

Expression Filter – MP Authoring and Groups

Construct

Syntax

Any Character

.

Character in Range

[ ]

Character not in range

[^ ]

Beginning of Line

^

End of Line

$

Or

|

Group

( )

0 or 1 matches

?

0 or more matches

*

1 or more matches

+

Exactly N matches

{n}

At least N matches

{n, }

At most N matches

{ , n}

N to M Matches

{n, m}

New line character

\n

Tab character

\t

Note: Wildcards (below) can also be used in group calculation to match patterns.
Note: Be aware that if you are creating groups by using ‘matches regular expression’, this operator matches string with case sensitivity by default.  In these cases, you can turn off the case sensitivity matching by using syntax as follows.

Case insensitive syntax:   (?i:pattern)

 

Criteria Expression – Command Shell

Operator

Description

= , ==

Evaluates to true if the left and right operand are equal.

!= , <>

Evaluates to true if the left and right operand are unequal.

>

Evaluates to true if the left operand is greater than the right operand.

<

Evaluates to true if the left operand is less than the right operand.

>=

Evaluates to true if the left operand is greater than or equal to the right operand.

<=

Evaluates to true if the left operand is less than or equal to the right operand.

LIKE

Evaluates to true if the left operand matches the pattern that is defined by the right operand. Use the characters in the wildcard table later in this topic to define the pattern.

MATCHES

Evaluates to true if the left operand matches the regular expression defined by the right operand.

IS NULL

Evaluates to true if the value of the left operand is null.

IS NOT NULL

Evaluates to true if the value of the left operand is not null.

IN

Evaluates to true if the value of the left operand is in the list of values defined by the right operand.

Note: The IN operator is valid for use only with properties of type Guid.

AND

Evaluates to true if the left and right operands are both true.

OR

Evaluates to true if either the left or right operand is true.

NOT

Evaluates to true if the right operand is not true.

Note: Be aware that criteria expression ‘matches’ operator is case sensitive.
Note: Wildcards (below) can also be used in criteria expression to match patterns.

 

Wildcards – Views, Subscriptions, Command Shell, Groups

Note: The resultant view query sent to the operational database is in the form of a literal pattern match.

Wildcard

Description

%

A wildcard that matches any number of characters.

_

A wildcard that matches a single character.

[]

A wildcard that matches any one character that is enclosed in the character set. Note: Brackets are only use to match a MonitoringObject Name property. See below image for explanation.

[^]

A wildcard that matches any one character that is not enclosed in the character set. Note: Brackets are only use to match a MonitoringObject Name property. See below image for explanation.

Brackets in views will match a MonitoringObject Name property only.  For example, take a look at the Discovered Inventory view in the Operations Console.  Scope to something like Windows Server 2008 Logical Disk.

Brackets match MonitoringObject Name
image

So if I wanted to create an alert view showing all alerts that were generated by any drives except for A, B, C, D, E, F or G drives, I would form the expression as follows.

Example of alerts raised by logical drive instances
image

The resultant view of the criteria above 
image

If I took the carot symbol (^) out, then I would see alerts related only to A, B, C, D, E, F or G drives.

Comments

  • Anonymous
    January 01, 2003
    Eric - I haven't had any problems doing this just now.  I did several variations and all returned true data.  Could possibly be a console cache refresh problem in your case.  Try launching the console with /ClearCache switch.

  • Anonymous
    January 01, 2003
    Can you try to make a filter that is:

  • Without a ward in the Name of the alert
  • Anonymous
    January 01, 2003
    Can you try to do a filter with not containing a word (not a letter).I am trying and do not find a solution..

  • Anonymous
    March 18, 2011
    I am using the regex .{3}sql on netbios computer name to pull in servers that have a leading site code, then a function code of SQL into a group.  It finds the right servers but its also finding a server that has 4 leading characters as hfbzsql01 into the group.  What is going wrong?  What would a better regex be to say exactly 3?

  • Anonymous
    April 21, 2011
    ^.{3}(?i:SQL) did the trick.  Need that ^