EDIT:
Ok, so I was trying to do too many things at one time yesterday.... Everything below works just fine.
When I setup the rule to try and test this for Greg, I used the same rule I am currently using for a script for Eilz, and it was un-checked because I always test my scripts in an unchecked rule so they don't impact my actual logs.
Apologies to Brandon and Jiri for crying wolf, the version number thing is real though...
Greg, if you'll send me the information for the rule you are having problems with, I will try to help you.
//////////////////////////////////////////////////////////////////////////
I've been doing some testing today on 9.3.4 (which shows that I am still running 9.3.2 but says there are no further updates) and I have realized that the reason my SNMP Traps are showing up in my display is because it's the last display and it's un-filtered. Evrerything else has been put somewhere else by the time it gets to that point.
So... I created a rule at the top to do some testing and here is what I came up with:
- I am unable to filter my SNMP traps by IP address range.
- I am unable to filter by hostname either.
- I am unable to filter anything by input source, even checking every input source results in no traffic passing to the display.
- Filtering by message text is not working either. I tried message text filter of "community=public" and that did not work.
After trying all of that, I went back to my default unfiltered catch-all at the bottom to see if I could script something. Just an e-mail sending me VarCleanMessageText to see if it would work. I also setup the e-mail action to e-mail me as well to see if I got either e-mail. The result was that I received both, so while you can't filter by the message, it is actually stored in both VarCleanMessageText and %MsgText.
i'm going to see if I can bring this to bshopp's attention...
Message was edited by: Acy Forsythe