Smarts Notif adapter: How do you parse a trap using Smarts API: $extract :
search cancel

Smarts Notif adapter: How do you parse a trap using Smarts API: $extract :

book

Article ID: 331755

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Symptoms:


This article shows us how you could use the $extract  function in the Smarts SAM Notif adapter.

We need to be able to parse e-mail text for specific content:

How do you extra this text from a SMTP email? This would be the text extracted between these two words. " mexxx.com.mail> " And " uplink." on the following SMTP trap/text.

NOTE:( the below has been edited for privacy)

extra==__mimepart__56448f009eceb__5e2a453b3f4275219d5_20Date_:_20Thu,_2012_ 20Nov_202015_2005_:07_:12_20-0800_20Content-Type_:_20text/plain;_20charsetUTF-8_20_20Content-Transfer-Encoding_:_207bit_20Content-Disposition_:_20inline_20Content-ID_:_20<56448f00a10bb__5e2a453b3f4275220ee@sdg169 EmailSubject:Alert for HFD-MX60W-01 - Uplink status changed -- Email Body:----==_mimepart_56448f009eceb_5e2a453b3f4275219d5 Date: Thu, 12 Nov 2015 05:07:12 -0800 Content-Type: text/plain; charsetUTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-ID: <[email protected]> The security appliance in the HFD-xxx-01 network switched to using its primary uplink, configured to be uplink Internet 1, after a period in which the link was unavailable. There has been a total of 1 failover event detected: At 08:06 AM EST on Nov 12, the security appliance switched to using Internet 1 as its uplink. See the alerting security appliance at https://n74.mexxx.com/HFD-MX60W-01/...age/nodes/show- Cisco Meraki This email was automatically generated; please do not reply. You can change your alert delivery settings athttps://n74.meraki.com/HFD-MX60W-01/...nfigure/alerts ----==_mimepart_56448f009eceb_5e2a453b3f4275219d5 Date: Thu, 12 Nov 2015 05:07:12 -0800 Content-Type: text/html; charsetUTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-ID: <[email protected]> <meta http-equivContent-Type contenttext/html; charset=utf-8 ><img srchttps://dashboard.mexxx.com/images/cisco-meraki.png border0 stylewidth:175px altCisco Systems, Inc. ><!-- </img> --><br><br> <p> The security appliance in the <a stylecolor: #1d770b; hrefhttps://n74.mexxx.com/HFD-MX60W-01/n/Tiu40ckb/manage/nodes/list >HFD-MX60W-01</a> network switched to using its primary uplink, configured to be uplink Internet 1, after a period in which the link was unavailable. </p> There has been 1 failover event detected:<br><br> At 08:06 AM EST on Nov 12, the security appliance switched to using Internet 1 as its uplink. <br> <br> <p> - Cisco Mexxx </p> <br> <br> <br> <p> This email was automatically generated; please do not reply.<br> You can change the <a stylecolor: #1d770b; hrefhttps://n74.mexxx.com/HFD-MX60W-01/n/Tiu40ckb/manage/configure/alerts >alert delivery settings</a> for this network. </p> ----==_mimepart_56448f009eceb_5e2a453b3f4275219d5-

Environment

VMware Smart Assurance - SMARTS

Cause

How do you use a nested variable to parse a SMTP trap.

The nested Variable we used was, and we used the Variables "message" and  not the variable "V1":
$substr(text, pos, length)$

NOTE: for more complete instructions see the bottom of page 99 of the below guide:
https://support.emc.com/docu9371_Ion...language=en_US

Resolution


In the Smarts user interface, set the EventText  as below:
EventText = $extract(extract(message,"meraki.com.mail> ", 2),"its uplink." ,1)$

Note: To test this, you can send this command:
Then using sm_snmp command I sent the below trap with varbind V1 having the string that cutsomer wants to extract.

./sm_snmp --dest=localhost --port=8130 trap 192.168.1.4 .1.3.6.1.4.1.555 6 888 1450338233 .1.3.6.1.4.1.555.2.2.2 s "<[email protected]> The security appliance in the HFD-MX60W-01 network switched to using its primary uplink, configured to be uplink Internet 1, after a period in which the link was unavailable. There has been a total of 1 failover event detected: At 08:06 AM EST on Nov 12, the security appliance switched to using Internet 1 as its uplink."