I realize this is an older thread, but in case anyone is interested, here's how we've been able to extract the host as a trap varbind:
If you set up an alert on a saved search, a results file containing the raw event data is passed as an argument along with the alert. The file format is gzipped csv and contains the host, source and raw event text.
We created a perl script that runs after the saved search finds a match, unzips the file and then places host, source and raw into an array. When we send the trap we use the OS sendtrap command and designate one of the trap varbinds as the extracted hostname.
... View more