Solved: Re: Declarative process grouping - what is the format of the detection rule definition condition?

fstekelenburg · ‎03 Mar 2022

The documentation on the conditions in the Detection rule definition of a Declarative process group is not very elaborate. it is somewhat clear that you do not need to use quotes for the value (e.g. svc in $contains(svc)), but what in situations the arguments contains quotes and spaces?

Especially when it comes to command line arguments, that can be used as property.
For example this situation, a process is started like:

myprocess.exe -instance"MYUI interface" -domain"c1234"

Questions:

the command line arguments can contain also (double) quotes. How to deal with quotes?
$contains(c1234) works. But $contains(-domain"c1234") or $contains(-domain\"c1234\") do not.
and when there are spaces?
It looks like $contains(MYUI interface) works. It doesn't with quotes.
does the $eq and $contains look at the whole range of command line arguments, or individual ones?
Like, should I be able to use for command line arguments: $eq(-d -p -id=10)
Or need these all be separate detection rules?

And, do I get a match when I use $eq(-d -p -id=10) or when I use $eq(-d)

$contains(svc) – Matches if svc appears anywhere in the process property value.
$eq(svc.exe) – Matches if svc.exe matches the process property value exactly.
$prefix(svc) – Matches if app matches the prefix of the process property value.
$suffix(svc.py) – Matches if svc.py matches the suffix of the process property value.

Documentation: Declarative process grouping | Dynatrace Docs

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner

fstekelenburg · ‎25 Mar 2022

Oke, here is the answer, after a session with One Support, who had to inquire with the responsible team internally as well:

Quotes - it is possible to use quotes when defining the rules, but the caveat is this:
If the command line arguments looks like: ./sleep --test=\"aaa\"
The rule should be $eq(--test="aaa")
But if the command line arguments look like ./sleep --test="aaa"
Then the rule should be $eq(--test=aaa)
Note: this is a bit tricky and appears reversed. You can see in the definitions through the API that Dynatrace adds the \ to the quotes.
Spaces - spaces can be used without problem. Taking in account the possible use of quotes above.
Arguments - every argument needs to go to a different rule

So, to capture the example from the original question above, myprocess.exe -instance"MYUI interface" -domain"c1234", you need to create two rules:

1st rule: $eq(-instance MYUI interface)

2nd rule: $eq(-domain c1234)

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner

AK · ‎21 Jul 2025

@fstekelenburg need help on similar challenge. My issue explained in more details here

Below is the command line argument:

python service.py -m PROCESS1 -i 0123

Do we need to add three rules like below? also is restart of processes needed after creating a rule?

$eq(python service.py)
$eq(-m process1)
$eq(-i 0123)

Regards,
AK

AK · ‎25 Jul 2025

Creating rule for each parameter like below worked. Support helped to depart this challenge.

$eq(python)
$eq(service.py)
$eq(-m)
$eq(PROCESS1)
$eq(-i)
$eq(0123)

Note: Order of rules doesn't matter

Regards,
AK