Hi marees123,
how about something like this:
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | sort +_time
or
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | reverse
or
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | chart values(AnInterface) AS AnInterface values(UpDown) AS UpDown over _time by host
hope this helps ...
cheers, MuS
Hi marees123,
how about something like this:
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | sort +_time
or
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | reverse
or
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | chart values(AnInterface) AS AnInterface values(UpDown) AS UpDown over _time by host
hope this helps ...
cheers, MuS
Hi Mus,
I'm using the below query as you suggested,
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | sort -_time | reverse
Could any one please provide the script, so that splunk will send the below logs to netcool.
data1swt0001 GigabitEthernet1/0/1 down 2015-01-24 23:48:38
data1swt0001 GigabitEthernet1/0/1 down 2015-01-24 23:48:38
data1swt0001 GigabitEthernet1/0/1 up 2015-01-24 23:52:08
data1swt0001 GigabitEthernet1/0/1 up 2015-01-24 23:52:08
Thanks....
its working perfect... thanks a ton.......
you're welcome 😉