Given the following in the log line: 2020-02-12T05:01:47.606728-08:00 5n-2-esx-mgmt 32231: 032195: Feb 12 05:01:46.600 pst: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet3/0/18 (64), with 5n-1-esx.corp.alleninstitute.org GigabitEthernet2/0/42 (60).
And the following sec.conf stanza: type=SingleWithSuppress ptype=regexp pattern=T(\d\d:\d\d:\d\d).*? (.*?) .*%CDP-4-NATIVE_VLAN_MISMATCH: (.*) desc=Native VLAN mismatch reported on $1 action=write /home/tocops/.tocpipe ops $1 $2 $3 window=3600 I would have predicted that the 'action' would be performed once/hour (given a steady stream of these messages, which is what I am seeing) In fact, the action does not get performed In contrast, the following snippet does result in the action being execute (although the suppression window isn't honored) type=singleWithSuppress ptype=regexp pattern=T(\d\d:\d\d:\d\d).*? (.*?) .*%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on (\S+) \((\d+)\), with (\S+) (\S+) \((\d+)\) desc=Native VLAN mistmatch reported between $1 interface $2 (native VLAN $3) and host $4 interface $5 (native VLAN $6) action=write /home/tocops/.tocpipe ops $1 $2 Native VLAN Mismatch on interface $3 (native VLAN $4) and $5 interface $6 (native VLAN $7) window=3600 Is there some aspect of pattern matching on ".*" that I am not understanding? --sk
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
