Regex for traps in Log Analyzer

I'm trying to match on the following pattern in traps in Log Analyzer. Can't get anything to work with regex. The LA rule config refers me to "C# Regular Expression reference" which is not found on the support site. This works on regex101.com: cerent454AlarmState\..{1,8}\.5880 = 40 when I copy the pattern directly out of Log Viewer, but it does not work in the rule config.

The pattern appears as this in Log Viewer:

cerent454AlarmState.67129367.5880 (1.3.6.1.4.1.3607.6.10.20.30.20.1.80.67129367.5880)
40
The section represented with the number 67129367 can be 4 to 8 digits long.
I also need to match the 40 (which means clear) in one rule and everything except 40 in another rule.
So that cerent454AlarmState.67129367.5880 = 40 assigns a "clear" tag.
Anything other than 40 assigns a different tag.
I can match the pattern explicitly with this rule:
Varbind element with Name: cerent454AlarmState.67129367.5880
Is equal to: 40
(or is not equal to: 40)
Any help is appreciated.
Thanks.
  • I could get it working by setting two "Message" conditions:

    I just changed {1,8} to {4,8} since you write that it can be 4 to 8 digits long.
    Also note that there is a space between "=" and "40".

    Using Message Contains would trigger this rule when value would be 401 and suprisingly it happens also when Message Matches Regex".*= 40".

    Non-clear rule uses Message Doesn't End With = 40.

    However, this has limitations depending on what your traps look like. If they use more varbinds and your OID one is not the last one, then this might not work - with more varbinds, both clear and non-clear rules could be triggered.

    There could be one more possibility:

    Clear condition - put both conditions into one regex as you suggested ".*cerent454AlarmState\..{4,8}\.5880 = 40", but it would trigger also for = 40xxx.
    Non-clear conditiion would be:

    This seems to work reliably even when there are more varbinds, but I don't know why it didn't work for you.