2014-02-06 andrewarnier <[email protected]>: > Hi restro, > > The rule input from my test log , command as follows, > > perl /usr/local/sbin/sec.pl -conf=device_sec.cfg --input > /home/andrew/snmptttest.log > > > > > > type=SingleWithThreshold > > ptype=regexp > > pattern=(.+) (.+) (.+) (.+) (.+) A Spanning Tree Topology Change at > (.+)/(.+) on VLAN (\d+) > > desc=A Spanning Tree Topology Change flapping flapping event for device $4 > at $6/$7 on VLAN $8 in 5 seconds > > action = pipe ' $1 A Spanning Tree Topology Change flapping flapping event > for device $4 at $6/$7 on VLAN $8 in 5 seconds at %t' /bin/mail -s "A > Spanning Tree Topology Change flapping flapping event" > [email protected] > > thresh=2 > > window=5 > > >
have a closer look at your example events and your regular expression: > > > but when insert two record as follows to my log > > Wed Feb 5 14:0240 2014 .1.3.6.1.2.1.17.0.2 Critical "VLAN" cisco-7609P - A > Spanning Tree Topology Change at Gi2/17 on VLAN 2782 in the case of this event, your variables are set as follows: $4 = cisco-7609P $6 = Gi2 $7 = 17 $8 = 2782 > > Wed Feb 5 14:02:41 2014 .1.3.6.1.2.1.17.0.2 Critical "VLAN" cisco -7609P - > A Spanning Tree Topology Change at Gi2/17 on VLAN 2782 > however, in the case of this event, your variables are set as follows: $4 = -7609P $6 = Gi2 $7 = 17 $8 = 2782 > I have include them in the 'desc' field. But I still receive two A Spanning > Tree Topology Change flapping flapping event mail, > Can you give me some advice on what to do please? In the case your events were artificial test events, you need to check them for typos. However, if in your environment device names can indeed contain whitespace, you would need to match them by looking at the surrounding characters. regards, risto > > Andrew > ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
