This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Specific string from a trap in alert message

Hello, hope you can help. I am receiving the below trap

JUNIPER-IDP-MIB:jnxIdpSessionCountNotify : sysUpTime = 110 days 18 hours 35 minutes 56.86 seconds, jnxSyslogEventName.2535 = ESWD_MAC_LIMIT_DROP, jnxSyslogTimestamp.2535 = 17/02/2023 08:59:44, jnxSyslogSeverity.2535 = 2, jnxSyslogFacility.2535 = 4, jnxSyslogProcessId.2535 = 1364, jnxSyslogProcessName.2535 = eswd, jnxSyslogHostName.2535 = SWITCHNAME, jnxSyslogMessage.2535 = ESWD_MAC_LIMIT_DROP: MAC limit (1) exceeded at ge-2/0/18.0: dropping the packet from src a0:4c:fd:e7:d1:fc, snmpTrapEnterprise = JUNIPER-CHASSIS-DEFINES-MIB:jnxProductNameEX3300

How to put "MAC limit (1) exceeded at ge-2/0/18.0: dropping the packet from src a0:4c:fd:e7:d1:fc" in the alert body only?

Tried these two options but none is working as expected:

${N=SWQL;M=SELECT SUBSTRING('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}',
CHARINDEX('jnxSyslogMessage.2535 = ',)}
${SQL: SELECT SUBSTRING(${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage},CHARINDEX('jnxSyslogMessage.2535 = ', 45)}

E-mail alert returns this:

${N=SWQL;M=SELECT SUBSTRING('JUNIPER-IDP-MIB:jnxIdpSessionCountNotify : sysUpTime = 173 days 22 hours 35 minutes 49.45 seconds, jnxSyslogEventName.5795 = ESWD_MAC_LIMIT_DROP, jnxSyslogTimestamp.5795 = 17/02/2023 13:46:11, jnxSyslogSeverity.5795 = 2, jnxSyslogFacility.5795 = 4, jnxSyslogProcessId.5795 = 1355, jnxSyslogProcessName.5795 = eswd, jnxSyslogHostName.5795 = SQITCHNAME, jnxSyslogMessage.5795 = ESWD_MAC_LIMIT_DROP: MAC limit (2) exceeded at ge-4/0/44.0: dropping the packet from src 7c:57:58:66:b9:ad, snmpTrapEnterprise = JUNIPER-CHASSIS-DEFINES-MIB:jnxProductNameEX3300',
CHARINDEX('jnxSyslogMessage.2535 = ',)}
MACRO SQL ERROR - Incorrect syntax near 'MIB:'.
The label 'MIB' has already been declared. Label names must be unique within a query batch or stored procedure.

Parents Reply Children
No Data