Are there limits when querying against the Message (msg) field?

Setup -
Sentinel 7.0.1 soft appliance
SNMP source generating SNMPv2 traps -> SNMP Connector in SNMPv2 mode ->
Generic Data Collector (application is not instrumented yet.....)

Sentinel is receiving data fine I can see it come in live in Control
Center and also see it in generic queries.
Search query against "(evt:SNMP)" finds the events.
Search query against "(msg:"Community: public")" finds the events.
Search query against "(msg:"Object ID: .1.3.6.1.4.1.13169")" finds
nothing but the EventSearch events for that query. The value string was
cut and pasted from the actual message fiield displayed in the SNMP
query above.
Search query against "(msg:13169)" finds nothing but the EventSearch
events for that query as well.

Here's an example message field as displayed when I search for
"evt:SNMP" as above and then show All:
SNMP V2 Trap PDU SNMP Version: Version 2C Remote Host: 172.27.1.156
Remote Port: 57756 Community: public Request ID: 1404862376 Timeout: 0
Retries: 0 Error Status: no error SNMP PDU Variable Bindings: Object ID:
.1.3.6.1.2.1.1.3.0 TIMETICKS: 0 hours, 0 minutes, 0 seconds. Object ID:
.1.3.6.1.6.3.1.1.4.1.0 OBJID: .1.3.6.1.6.3.1.1.5.1 Object ID:
.1.3.6.1.4.1.13169.1.2.2.16.0 INTEGER: 0 Object ID:
.1.3.6.1.4.1.13169.1.2.2.17.1.3 STRING: Object ID:
.1.3.6.1.4.1.13169.1.2.2.17.1.3 STRING: Object ID:
.1.3.6.1.4.1.13169.1.2.2.17.1.3 STRING: Object ID:
.1.3.6.1.4.1.13169.1.2.2.17.1.3 STRING:

Why can't I find the data querying against "later" data in the message
field?

THanks,
Jim


--
dagerk
------------------------------------------------------------------------
dagerk's Profile: https://forums.netiq.com/member.php?userid=286
View this thread: https://forums.netiq.com/showthread.php?t=2359