LM API: !: and !~ filter operators silently broken on AuditLogList and AlertList

[rdmarsh]

Summary

The !: (not-equals) and !~ (not-contains) filter operators are silently broken on at least two endpoints: AuditLogList and AlertList. The API returns results that should be excluded — no error, just wrong data.

Reproduction

# Returns records WHERE username IS the specified value — filter is ignored
elm AuditLogList -F 'username!:acmeuser' -s 3

# Expected: records where username is NOT acmeuser
# Actual: records where username IS acmeuser (or all records, filter silently dropped)

elm sends the correct URL-encoded filter:

filter=username!:%22acmeuser%22

Evidence that elm is correct

Positive operators work as expected on the same fields:

# Works correctly — returns only records for that username
elm AuditLogList -F 'username:acmeuser' -s 3

# Works correctly — excludes by ip
elm AuditLogList -F 'ip!:1.2.3.4' -s 3

!: also works correctly on DeviceList:

# Works correctly
elm DeviceList -F 'hostStatus!:dead' -s 3

The bug is field- and endpoint-specific on the LM API side.

Affected endpoints / fields

Endpoint	Field	Operator	Status
AuditLogList	username	!:	Broken — filter ignored
AuditLogList	ip	!:	Works
AlertList	cleared	!:	Broken — filter ignored
DeviceList	hostStatus	!:	Works
DeviceList	displayName	!:	Works

Workaround

Use a positive operator and filter client-side with jq:

elm AuditLogList -s 100 --format json | jq '.[] | select(.username != "acmeuser")'

Impact

Cannot exclude specific users, alert types, or cleared alerts server-side. Forces client-side post-filtering on large result sets, which is slower and requires -s tuning.

Environment

• elm version: 1.7.9
• LM REST API v2
• Filter encoding confirmed correct via --format api output