Did that - doesn't work. LOOKUP-hostdb = hostdb_lookup srcIP OUTPUTNEW deviceName ... View more

Ditto. Searches should be multi-threaded... ... View more

One last question? I'm looking at the doc, but it doesn't specify if the lookup should exist on the forwarder, or the indexer - any idea? I'm assuming indexer... ... View more

Thanks! I appreciate it. ... View more

Thanks. In theory, that would work. I guess my next question is how would I "call" that static lookup? ... View more

Awesome. Thanks. Just took the second reporting class and things are slowly clicking... ... View more

lost me on that - what is it doing? My search is: source="/var/opt/trapx/log/traps-all.log" | fields eventtype, host |chart count by eventtype, host |addcoltotals | addtotals fieldname=Totals Which works fine, but ignores "non-eventtypes". I want to include totals for these in my chart. ... View more

Thanks. Looks like the first one worked - second did not. ... View more

OK. Did that, and it returns other eventtypes as well, which I didn't create (possibly system eventtypes?). It also returns "nix-all-logs" eventtypes. ... View more

Not sure what a pastebin is, but I did a copy/paste of some of the log data. Trap: 24910058 Thu Feb 9 02:01:11 2012 Src IP: 12.3.4.5 Agent IP: 1.2.3.4 Trap Type: Vendor Specific Specific Type: 1 Enterprise: 1.3.6.1.4.1.9.9.43.2 Object:1.3.6.1.4.1.9.9.43.1.1.6.1.3.3997 Value:1 Object:1.3.6.1.4.1.9.9.43.1.1.6.1.4.3997 Value:4 Object:1.3.6.1.4.1.9.9.43.1.1.6.1.5.3997 Value:6 Trap: 24910059 Thu Feb 9 02:01:11 2012 Src IP: 1.2.3.4 Agent IP: 1.2.3.4 Trap Type: Vendor Specific Specific Type: 1 Enterprise: 1.3.6.1.4.1.9.9.41.2 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.2.0 Value:PAGP Object:1.3.6.1.4.1.9.9.41.1.2.3.1.3.0 Value:6 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.4.0 Value:PAGP Object:1.3.6.1.4.1.9.9.41.1.2.3.1.5.0 Value:2012 Feb 09 02:01:11 eastern -05:00 %PAGP-5-PORTTOSTP:Port 2/17 joined bridge port 2/17 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.6.0 Value:279122402 Trap: 24910060 Thu Feb 9 02:01:12 2012 Src IP: 1.2.3.4 Agent IP: 1.2.3.4 Trap Type: Vendor Specific Specific Type: 1 Enterprise: 1.3.6.1.4.1.9.9.41.2 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.2.61328708 Value:PIM Object:1.3.6.1.4.1.9.9.41.1.2.3.1.3.61328708 Value:5 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.4.61328708 Value:INVALID_SRC_REG Object:1.3.6.1.4.1.9.9.41.1.2.3.1.5.61328708 Value:Received Register from 1.2.3.4 for (1.2.3.4, 2.3.4.5), not willing to be RP Object:1.3.6.1.4.1.9.9.41.1.2.3.1.6.61328708 Value:468d 06:45:54 ... View more

I tried the latest change and I'm still getting the same thing (bounced the app). I keep trying to upload the image, but it doesn't get added. Here's the text from the "pull-out" window for the trapType field. It's taking the information after the Trap Type: value, but it should stop at the end of that line, and it's not. Authenticatio....6.1.4.1.3224 4,629 9.719% Authenticatio....4.1.2021.251 1,440 3.023% Authenticatio...e:10.47.89.25 1,060 2.226% Authentication...e:10.93.65.11 788 1.654% Authentication...4.1.564.101.1 500 1.05% Authentication...10.165.27.145 480 1.008% Authentication...e:10.47.89.25 444 0.932% Authenticatio...1.8072.3.2.255 392 0.823% Vendor Specif...1.4.1.3375.2.4 382 0.802% Vendor Specif...1.4.1.3375.2.4 ... View more

Yes, it's a multiline event. I've attached a screenshot of what happens. ... View more

That did it! Thanks! ... View more

OK. I'll try that. Thanks! ... View more

I'm using the universal forwarder. So, the props.conf needs to go on the index server? ... View more

Yeah, restarted the forwarder, and the results are below. Wed Feb 8 23:10:18 2012 Src IP: 1.2.3.4 Agent IP: 1.2.3.4 Trap Type: Authentication Failure Specific Type: 0 Enterprise: 1.3.6.1.6.3.1.1.5 Object:1.3.6.1.4.1.9.2.1.5.0 Value:1.2.3.4 Trap: 24780942 ... View more

Thanks. That almost works. It's putting the "Trap:" from the next event at the bottom of the previous event. The "Trap:" is the start of the event, and I want to include it. Any way to do that? ... View more