Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alerting depending on data match from a lookup of a file content

fgilain
Engager
‎01-07-2014 06:55 AM

Hi all,

I want to monitor critical Cisco ports status.
My goal would be to setup a list of critical ports using a csv file for example and to be alerted by splunk when a specific eventtype (port up or down) happens on a port matching my csv file...

Here is what i did for the moment :

1) created a lookup file (csv format) :
/splunk/splunk/etc/apps/search/lookups/cisco_lookup_interfaces.csv

with the following content :
hostname,interface,description
sw-XX-c3750-01,TenGigabitEthernet3/0/1,INTERCO 1
sw-ZZ-c3650-02,TenGigabitEthernet4/0/1,INTERCO 2
sw-YY-c6450-01,GigabitEthernet3/0/52,INTERCO 3

2) I created 2 eventtype (for port up and port down)

3) I then tryed to call it and create a search, but without success...

Any help would be very cool...

Nb : goal would be search and be alerted when an eventtype "PORT_UP" or "PORT_DOWN" is corresponding to a hostanme+interface contained in the csv file. output should display hostname + interface + description (fro mcsv file) and status : UP or DOWN

Thanks a lot for your help, i really don't understand lookup docs...

Florent

Tags (1)
0 Karma
Reply

fgilain
Engager
‎01-07-2014 01:28 PM

Here are some log extract :

Dec 10 15:43:10 host=sw-s4-c3750-01 program=117487 PID= facility=local7 level=notice : 169210: Dec 10 15:43:09.654: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/49, changed state to down

Oct 31 11:39:53 host=sw-s4-c3750-01 program=114136 PID= facility=local7 level=notice : 165942: Oct 31 11:39:53.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/49, changed state to up

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-07-2014 07:42 AM 
your_search eventtype=PORT_DOWN OR eventtype=PORT_UP| lookup cisco_lookup_interfaces.csv host AS hostname | eval status = case(eventtype=="PORT_DOWN","DOWN",eventtype=="PORT_UP","UP",1=1,"UNK") | table hostname interface description status

This might get you close, without testing you may need to adjust the case statement to work.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-07-2014 02:13 PM

...|lookup cisco_lookup host AS hostname interface |...

0 Karma
Reply

fgilain
Engager
‎01-07-2014 02:08 PM

i get a result with (but not what is exactly wanted) :
index="index_de_syslog_net" eventtype="CISCO - INT *"| rex field=_raw "Interface\s(?\S+), changed state *" | lookup cisco_lookup_interfaces.csv hostname AS hostname | eval status = case(eventtype=="CISCO - INT DOWN","DOWN",eventtype=="CISCO - INT UP","UP",1=1,"UNK") | table host interface status description

The ouptput is the table with :
hostname, interface, status, but nothing in description field .

  • what i really need to match is 2 fields : hostname+interface of my csv, not only the hostname.
0 Karma
Reply

fgilain
Engager
‎01-07-2014 01:41 PM

Here is the error i get :

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table

0 Karma
Reply

somesoni2
Revered Legend
‎01-07-2014 07:23 AM

Would you be able to provide some sample events for event type PORT_UP and PORT_DOWN? What all fields are already available when you search 'eventtype="PORT_UP"' OR 'eventtype="PORT_DOWN"'?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...