Scott,
I see a couple of things.
First of all, I'd replace the '==' with a comma. ','
Next, it looks like there's a missing quotation mark in each line
following your filter statement (just after the closing curly bracket).
Next, do you want each of the matched strings to use the same new event
code of 0xfffff009? If so, then that part seems OK; you'll then need
another statement in your EventDisp file that tells Spectrum how to
handle the 0xfffff009 event.
Also, if those are the only five pattern matches that you want, you'll
need another entry that tells Spectrum what to do with the events that
DON'T meet any of the patterns in the list; another event (say,
fffff008?) that may or may not log the event, generate a different
alarm, etc.
I'm going to assume that the last line in your example is the one
containing the match for SNI_BD. If that's the final line, here's how
it should look (note the yellow-highlighted closing quotation mark
missing, too):
"{ v 5 } , { S \"SNI-BD\" }", "0xfffff009 -:-", "default",
"0xfffff008 -:-"
Also, there should be no backwards slash following the last line in the
event rule.
The above line tells Spectrum to send all traps that do not contain any
pattern matches to create another event 0xfffff008. For this event, you
may only want to log the events, so you'd add the next line to your
EventDisp file:
0xfffff008 E 50
Andrea's solution may also work (i.e., stringing the patterns together,
separated with the pipe symbol |); I've never tried it that way before.
Let us know how it works out for you!
Cheers,
Cliff
From: Casebere, Scott [mailto:[EMAIL PROTECTED]
Sent: Monday, December 01, 2008 4:50 PM
To: spectrum
Subject: [spectrum] Events being filtered by matching Varbinds?
Does anyone have an EventDisp file that I can reference for the correct
syntax to filter events by matching a varbind string? We have one system
sending thousands of traps and I would like to only show about 10 of the
possible alarms by matching the card type in varbind 5. I figured if I
could match the alarm type (maj,min,info) with the matching string (card
type) listed in v5 I would be good but I can not get the alarm to filter
correctly. I can't find an example of this being done anywhere. My last
failed attempt looked like this:
0xfffff001 R Aprisma.EventCondition, \
"{ v 5 } == { S \"FIBER-LK\" }, "0xfffff009 -:-", \
"{ v 5 } == { S \"EXP-INTF\" }, "0xfffff009 -:-", \
"{ v 5 } == { S \"IPMEDPRO\" }, "0xfffff009 -:-", \
"{ v 5 } == { S \"SYS-LINK\" }, "0xfffff009 -:-", \
"{ v 5 } == { S \"SNI-BD\" }, "0xfffff009 -:-", \
Thanks for any help.
Thanks,
Scott
* --To unsubscribe from spectrum, send email to [EMAIL PROTECTED]
with the body: unsubscribe spectrum [EMAIL PROTECTED]
---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and
is intended to be received only by persons entitled to receive such
information. If you have received this e-mail in error, please notify the
sender immediately. Please delete it and all attachments from any servers, hard
drives or any other media. Other use of this e-mail by you is strictly
prohibited.
All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto, including its subsidiaries. The recipient of
this e-mail is solely responsible for checking for the presence of "Viruses" or
other "Malware". Monsanto, along with its subsidiaries, accepts no liability
for any damage caused by any such code transmitted by or accompanying this
e-mail or any attachment.
---------------------------------------------------------------------------------------------------------
---
To unsubscribe from spectrum, send email to [EMAIL PROTECTED] with the body:
unsubscribe spectrum [EMAIL PROTECTED]
