Search to display a table of only Active alerts in...

evan_roggenkamp · ‎04-14-2016

I am trying to build a table that will show the active alerts for SNMP trap data ingested via a text file.

I can build a table pretty well extracting fields with rex and displaying them using table

index="orion" sourcetype=traps | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled")  | table cyan_node, trap_state, _time

This along with other rex statements on the other OID's in the trap message build a nice human-readable table of the Node Name, Alarm State, and Time.

However, what I want to do is to only show the events that eval cyan.6.1.1.10.0:= 1 to "Active" and have no preceding cyan.6.1.1.10.0:= 0 or "Clear"

In other words, just show me Active alarms that have never had a Clear status. I do not have any idea on how to go about this.

somesoni2 · ‎04-14-2016

Give this a try

 index="orion" sourcetype=traps | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled")  | stats latest(_time) as _time values(trap_state) as trap_state by cyan_node | where mvcount(trap_state)=1 AND trap_state="Active" | table cyan_node, trap_state, _time

evan_roggenkamp · ‎04-18-2016

I do not get any results when I run that search. I am still trying to sort out exactly what you are doing there as I am still very new to Splunk and not too familiar with a lot of the commands.

somesoni2 · ‎04-18-2016

Before stats is the search same as your's in the question. Using stats, I'm taking the time of the latest event and all the available values of trap_state for a cyan_node. Then based on available values of trap_state, I'm removing events where trap_state has both Active and Cleared/Disabled state (showing only the active alarms) and keeping only with alarm state with Active.

vasanthmss · ‎04-14-2016

Try this,

index="orion" sourcetype=traps "cyan.6.1.1.10.0:= 1" | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled")  | table cyan_node, trap_state, _time

OR

 index="orion" sourcetype=traps | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled") |search trap_state="Active" | table cyan_node, trap_state, _time

After your extraction you can use search or where.. like

|search trap_state="Active"

OR

|where trap_state="Active"

you can move your rex in props.conf (extract, calculated fields). then you can directly search the required field. In other hand If you can share some sample data I can help you the easy way.

Thanks,
V

V

evan_roggenkamp · ‎04-14-2016

While this will work to get a table of all the snmp traps that have come in as "active", what I am trying to do is to display all the traps that have come in as an alarm indicator that have NOT had a snmp trap come in with a clear indicator to negate them.

See this image for further reference. Since there was a Clear for the Active, there should be no need to display either event:

http://i.imgur.com/habLLYN.png

Search to display a table of only Active alerts in time frame

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...