How to preserve SNMP Trap Operational data after new input
Hello,
I have an SNMPv3 Trap set up on my host with triggers for higher severity traps. The problem is, my host is a Broadworks PBX switch with >4000 subscribers and it sends a very large number of SNMP traps, so when my trigger expression is met, the operational data on the problem gets quickly overwritten by new traps that arrive. The problem name doesn't get overwritten, but the operational data does.
The trap text is fairly custom and usually quite verbose (additionally, it does SNMP on port 8001 rather than the standard 161/162), so I have some dependent items to be able to do value mapping for some of the fields and for easier trigger configuration:
We'll focus on the trap.alarmName, snmptrap.fallback, and trap.severity. Here's the fallback setup:
trap.alarmName setup:
and the trap.severity setup
And then here's the trigger expression:
And here's an example. The alarm type bwSipServiceUnavailableReceived came through at 12:42pm local time and has a severity of 3, but it's being overwritten by a trap sent at 1:23pm local time with the alarm name bwSipMaxRetriesExceeded and severity of 1 (which doesn't trigger an alert)
Is it possible to make it so that operational data doesn't get overwritten?
And since I'm on the subject, partially, is there any way to throw away certain trap data based on regex before it gets past the "fallback" step? That might solve my problem, since we get ~2000 traps every hour, most of them low or informational severity. I would still like the operational data to not be overwritten, if possible.
I have an SNMPv3 Trap set up on my host with triggers for higher severity traps. The problem is, my host is a Broadworks PBX switch with >4000 subscribers and it sends a very large number of SNMP traps, so when my trigger expression is met, the operational data on the problem gets quickly overwritten by new traps that arrive. The problem name doesn't get overwritten, but the operational data does.
The trap text is fairly custom and usually quite verbose (additionally, it does SNMP on port 8001 rather than the standard 161/162), so I have some dependent items to be able to do value mapping for some of the fields and for easier trigger configuration:
trap.alarmName setup:
and the trap.severity setup
And then here's the trigger expression:
And here's an example. The alarm type bwSipServiceUnavailableReceived came through at 12:42pm local time and has a severity of 3, but it's being overwritten by a trap sent at 1:23pm local time with the alarm name bwSipMaxRetriesExceeded and severity of 1 (which doesn't trigger an alert)
Is it possible to make it so that operational data doesn't get overwritten?
And since I'm on the subject, partially, is there any way to throw away certain trap data based on regex before it gets past the "fallback" step? That might solve my problem, since we get ~2000 traps every hour, most of them low or informational severity. I would still like the operational data to not be overwritten, if possible.
Comment