Thanks Joseph.

Joe, I'm revisiting this - still having difficulty with this. I found the exact OID, but it's not triggering. I've tried a dozen variations on this config to no avail. Here is the config I currently have deployed. The counter associated with this OID is definitely incrementing, but the syslog action is not triggering. Thoughts?

event manager applet monitor-copp-drops1

event snmp oid 1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641 get-type exact entry-op ge entry-val "0" entry-type increment poll-interval 10

action 1.0 syslog msg "CoPP drops has exceeded threshold for SNMP Class1"

If you do a manual snmpget on 1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641 from an external host, what do you get?  If this is successful, do you see the value incrementing each time you poll it?

Yes to both:

SnmpGet.exe xxx -o:.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641

SnmpGet v1.01 - Copyright (C) 2009 SnmpSoft Company

[ More useful network tools on http://www.snmpsoft.com ]

OID=.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641

Type=Counter32

Value=2896005

SnmpGet.exe xxx -o:.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641

SnmpGet v1.01 - Copyright (C) 2009 SnmpSoft Company

[ More useful network tools on http://www.snmpsoft.com ]

OID=.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641

Type=Counter32

Value=2896475

If you do "show event manager history event" do you see the policy executing?

It does:

#show event manager history events

Load for five secs: 13%/3%; one minute: 8%; five minutes: 8%

Time source is NTP, 14:34:11.726 CDT Fri Jun 28 2013

No.  Job Id      Status   Time of Event             Event Type          Name

1    563982      success  Fri Jun28  14:32:34 2013  snmp                applet: monitor-copp-drops1

2    563983      success  Fri Jun28  14:32:44 2013  snmp                applet: monitor-copp-drops1

3    563984      success  Fri Jun28  14:32:54 2013  snmp                applet: monitor-copp-drops1

4    563985      success  Fri Jun28  14:33:04 2013  snmp                applet: monitor-copp-drops1

5    563986      success  Fri Jun28  14:33:14 2013  snmp                applet: monitor-copp-drops1

6    563987      success  Fri Jun28  14:33:24 2013  snmp                applet: monitor-copp-drops1

7    563988      success  Fri Jun28  14:33:34 2013  snmp                applet: monitor-copp-drops1

8    563989      success  Fri Jun28  14:33:44 2013  snmp                applet: monitor-copp-drops1

9    563990      success  Fri Jun28  14:33:54 2013  snmp                applet: monitor-copp-drops1

10   563991      success  Fri Jun28  14:34:04 2013  snmp                applet: monitor-copp-drops1

That was it. Thanks Joe!

Can you verify my logic please?

This applet monitors the specific given OID. When the class-map drops an average of 1000 bytes per minute over a 1 minute period, a message will be sent to syslog. Is this correct, and is this the most effective way to accomplish something like this?

event snmp oid 1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641 get-type exact entry-op gt entry-val "1000" entry-type rate average-factor 1 poll-interval 60

That's correct.  Your applet will do what you say.  This is a rather efficient way to do this.  The other option would be to use a timer event and parse the output of the show policy-map command.  This would require more logic on your side, though.

Thanks Joe. Your expertise is always appreciated. Have a great Fourth!