I receive some port up- and down events from my switches.
I have parsed the switch port from the event to the custom type "device_port".
I have built a correlation which shall trigger if this events occurs a few times.
Is it possible that the device_port is displayed in the correlation event?
So that I am able to build a mail alarm which triggers on the Signature ID from the correlation event and displays the device port in the mail?
You mean at the correlated event "HA- Switch Port blocked or offline or online"? Aggregation fields Source IP & Device Port?
Would be nice if it would work but how shall he aggregate for the Device Port if it does not know the device port? As you see in the picture the field is empty :/
Nevertheless it is not possible to aggregate for the device port.
Old post, but here's an idea anyway: Leave the correlation rule alone, then create your alarm to fire based on that rule. In the alarm template create a [REPEAT] section if necessary, but most importantly create a [SOURCE_EVENT] section. Make sure Device_Port is between the START and END of the Source Event section.
Using your screenshot above as an example: as a result you'll have 4 source event entries in your alarm; one of them will be blank (that'll be the one without a port) and the other three will show the port. You'll have duplicate information, but at least you'll have the information.
Unfortunately it seems correlation rules take the most recent event and uses it as the placeholder. Without the Source Event section in your alarm the only information you'll ever see is what the correlation rule shows in the GUI.