Why is stats count on multi-line events giving me...

ryantzj · ‎05-04-2015

I have been trying to get splunk work with the switch log to show availability of ports divided by its device name, interface and hardware types with the query below

sourcetype=nexus_switch | rex field=_raw max_match=1000000 "(?m)(?P<Begin>(Ethernet\d\S+).*  
\s.*  
\s.*  
)" | rex field=Begin "(?PEthernet\d\S+)\sis\s(?P.*)  
\s.*  
\s+Hardware(\sis|:)\s(?P.*)," |  stats count by DeviceName, interface, hardware_type, status

But it shows an incorrect count of 10,000+ total interface where i have only 800. Below is a snippet of my log, line break by the long underscore line, every event contain about 20+ interface.

    ___________________________________________________________________________  

akcfj-sfe-gere (22.23.1.13):  



--------------  

term len 0  

--------------  



--------------  

show interface  

--------------  


Ethernet1/1 is up  

     Dedicated Interface   

      Hardware: 1000/10000 Ethernet, address: 0032.7321.b738 (bia 0032.7321.b738)  

      Description: NP2:*** akcfj-sfe-gere Ten3/1 ***  

      MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec  

      reliability 255/255, txload 1/255, rxload 1/255  

      Encapsulation ARPA  

      Port mode is trunk  

      full-duplex, 10 Gb/s, media type is 10G  

      Beacon is turned off  

      Input flow-control is off, output flow-control is off  

      Rate mode is dedicated  

      Switchport monitor is off   

      EtherType is 0x8100   

      Last link flapped 23week(s) 3day(s)  

      Last clearing of "show interface" counters never  

      30 seconds input rate 75332208 bits/sec, 8743 packets/sec  

      30 seconds output rate 11084936 bits/sec, 3769 packets/sec  

      Load-Interval #2: 5 minute (300 seconds)  

        input rate 68.78 Mbps, 8.81 Kpps; output rate 11.02 Mbps, 4.28 Kpps  

      RX  

        307056506315 unicast packets  331016646 multicast packets  81428671 broadcast packets  

        307468951632 input packets  325254018013003 bytes  

        200664768545 jumbo packets  0 storm suppression packets  

        0 runts  0 giants  0 CRC  0 no buffer  

        0 input error  0 short frame  0 overrun   0 underrun  0 ignored  

        0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop  

        0 input with dribble  0 input discard  

        0 Rx pause  

      TX  

        253672222513 unicast packets  30735817 multicast packets  20055695 broadcast packets  

        253723014025 output packets  203569881588917 bytes  

        119425086337 jumbo packets  

        0 output errors  0 collision  0 deferred  0 late collision  

        0 lost carrier  0 no carrier  0 babble 0 output discard  

        0 Tx pause  

      1 interface resets

woodcock · ‎05-12-2015

I think what you are trying to do is count things within each event, but what you are doing is counting things across events. To count things within events, you need to something like this ... | eval numInterfaces=mvcount(interface). If you will be VERY clear about EXACTLY what you are trying to do, I can help you more but I think this is the crux of your problems.

woodcock · ‎11-04-2015

Did this work?

MuS · ‎05-04-2015

Hi ryantzj,

have you tested any of the apps provided https://splunkbase.splunk.com/apps/#/page/1/search/nexus/order/relevance they will do all the field extractions from nexus logs for you....

cheers, MuS

ryantzj · ‎05-04-2015

Hi MuS,

Thanks for the suggestion, but apparently the log format are not supported by the cisco nexus add on... any workaround for this ?

Why is stats count on multi-line events giving me a wrong answer ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!