Alert trigger action message displayed - shorten syslog message with SWQL

Hi all, I have defined an alert to trigger when Cisco interfaces change status to err-disable.

The problem is the alert message is quite lengthy:

CISCO-SYSLOG-MIB:clogMessageGenerated : sysUpTime = 316 days 16 hours 50 minutes 27.35 seconds, clogHistFacility.31909 = PM, clogHistSeverity.31909 = 5, clogHistMsgName.31909 = ERR_DISABLE, clogHistMsgText.31909 = psecure-violation error detected on Gi3/0/2, putting Gi3/0/2 in err-disable state, clogHistTimestamp.31909 = 2736302734

I have tried a variety of combinations with SQL & SWQL, but can't work out how to only filter the above to only display the message:

psecure-violation error detected on Gi3/0/2, putting Gi3/0/2 in err-disable state

Any help is appreciated.

Find more posts tagged with

Alert

sql

sqwl

sql query

Accepted answers

t_amc

For anyone interested, this was resolved within the Alert > Trigger Action > Message displayed when this alert is triggered:

${N=SWQL;M=SELECT SUBSTRING ('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}',
CHARINDEX ('clogHistMsgText', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')+24,
CHARINDEX (', clogHistTimestamp', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')
- CHARINDEX ('clogHistMsgText', '${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-24)
AS Message
FROM Orion.Nodes n}

Alert triggered message:

psecure-violation error detected on Gi3/0/2, putting Gi3/0/2 in err-disable state

All comments

t_amc

For anyone interested, this was resolved within the Alert > Trigger Action > Message displayed when this alert is triggered:

Alert triggered message:

psecure-violation error detected on Gi3/0/2, putting Gi3/0/2 in err-disable state