Raw events are passed to NOTIF through adapters after being normalized into a common structure. This structure provides the required basic event information and additional data used for further processing. The format of the data stream is a pipe-separated ("|") string as shown below:

         <
         eventTimeStamp
         >|<
         eventAgent
         >|<
         eventBaseID
         >|<
         eventSub1ID
         >|<
         eventSub2ID
         
         >|<
         Keyword1
         |
         Value1
         >|
         
         <
         Keyword2
         |
         Value2
         >.....
      

The pipe-separated data stream includes the following information:

  • eventTimeStamp — Event occurrence time in UNIX time format; seconds since the Epoch

  • eventAgent — Agent name or IP address

  • eventBaseID — dot-separated hierarchical identifier string (abc.123.XYZ….)

  • (for example, enterprise for SNMP)

  • eventSub1ID — General identifier (generic trap number for SNMP)

  • eventSub2ID — Specific identifier (specific trap number for SNMP)

  • Keyword1|Value1 — Keyword|value pair (OID1|value for SNMP)

  • Keyword2|Value2 — Keyword|value pair (OID2|value for SNMP)

    The eventBaseID, eventSub1ID, and eventSub2ID parameters are used as the unique event identifiers to match with ECI objects. The number of Keyword|Value pairs is variable. Event IDs may use all three fields, the first two, or only the eventBaseID; it depends on the raw events being processed.

    For specific adapters, the adapter documentation provides details to obtain information on the composition of the ID strings and the Keyword|Value pair mapping.

    Note:

    NOTIF replaces pipe character ("|") in field.(varbind) by double dashes ("--") to process the raw event.