Hi
I have created below rule in order to capture event message when an AP disassociated and generate alert based on below trap message.
Trap Message in EventLog
AIRESPACE-WIRELESS-MIB::bsnAPDisassociated {“DISMAN-EVENT-MIB::sysUpTimeInstance”:“....“,“AIRESPACE-WIRELESS-MIB::bsnAPMacAddrTrapVariable.0”:”*****:0","AIRESPACE-WIRELESS-MIB::bsnAPName.‘…’.”:“ap_name”}
Alert Rule:
eventlog.type = “trap” AND eventlog.message REGEXP “.AIRESPACE-WIRELESS-MIB::bsnAPDisassociated.” AND eventlog.datetime >= macros.past_5m
I want the alert to match above message and display the ap_name and the timestamp of this event .
But the alert that is getting created has event_id in the details. What is require is the ap_name and the timestamp. Is there a way to achieve the same?
Regards
Vatansha