It's not exact but I did a similar exercise recently for Citrix Netscaler trap where the event is 0x5b80007 and the interesting varbind is 1 instead of 2. Anyway, I copy that event off to new ones (0xfff00001, 0xfff00002, and 0xfff00003) that I want to trigger based on varbind contents, then modify the original event to not generate an alarm right away but rather do some event processing:
The first two events are my "unique" ones that match a certain regular expression and the last one is a default which is just the original event/alarm. Here's the rule for the first one:
Or if you just wanted to see the EventDisp:
0x5b80007 E 20 R { 1 } CA.EventCondition, "(regexp({v 1}, {S \"_lbvs\"}))" , "0xfff00001 1:1,2:2,1:76620","(regexp({v 1}, {S \"_gss\"}))" , "0xfff00002 1:1,2:2,1:76620","(default)" , "0xfff00003 1:1,2:2,1:76620"
0xfff00003 E 20 A 1,0x5b80007,1
0xfff00002 E 20 A 3,0xfff00002,1
0xfff00001 E 20 A 3,0xfff00001,1
I did something extra where I copied the value of my "interesting" varbind 1 to event variable 76620 because we wanted to see that as the alarm title and not the default "ENTITY DOWN":
I don't know what is in those varbinds from BIGIP to know if that would be helpful to you. Also, if we didn't want different probable cause text for the 01 and 02 events, they all could have used the orginal 0x5b80007 PCause that the default 03 event uses.
Hope this helps.
-Rob