Splunk Search

LAN port Flapping

MasterOogway
Communicator

I have a LAN port flapping and causing all kinds of noise that I am trying to notify on.

The syslog looks like this: %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel6:

What I thought to be a good REX: \s%\w+_\w+-\d+-\w+_\w+:\s\w+-\w+\d+: doesn't provide any "hits" despite matching in both my REGEX helpers. I have even tried to use this REGEX within the Extract Fields tool without success.

What I am trying to accomplish is to build a REGEX to find this entire string up to the last number. The last port number needs to be counted and sorted by this number and if the port number hits >=100 in 1 minutes alert me. Here is what I need to search for:

 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel<somenumber>:

Has anyone been able to, or have advise, to count the port number and alert "where count >=100"?

pstein

Tags (1)
0 Karma
1 Solution

Lowell
Super Champion

You don't have any capture groups in your regular expression, therefore it may match, but it will not return any fields. You need to use the regex capture group like: (?<field_name>regex)

A search like this should work:

sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):"

To alert based on a repeated occurance of port, you could do something like this:

sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | stats count by port | where count>=100

View solution in original post

WenderPutters
Engager

host="10.145.254.*" UPDOWN | rex "(?i) Interface (?P[^,]+)" | stats count by port,host
above was the fix

0 Karma

Lowell
Super Champion

You don't have any capture groups in your regular expression, therefore it may match, but it will not return any fields. You need to use the regex capture group like: (?<field_name>regex)

A search like this should work:

sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):"

To alert based on a repeated occurance of port, you could do something like this:

sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | stats count by port | where count>=100

WenderPutters
Engager

I changed the alert to:
sourcetype=syslog UPDOWN | rex "(?i) Interface (?P[^,]+)" | stats count by port | sort - count | where count>=8"
so it would catch on my interface report looking like:

Dec 19 14:10:16.897: %LINK-3-UPDOWN: Interface FastEthernet0/41, changed state to down

However now if i have multiple switches on which the same interface is bouncing it would all catch it under 1 hit.
Would it be possible to include the ip\hostname somehow in the output.

0 Karma

MasterOogway
Communicator

I also modified the search (added sort - count) at the end to display the results:
sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?\d+):" | stats count by port | sort - count | where count>=100

0 Karma

Lowell
Super Champion

Great, sounds like this is working well for you! If this answers your question, please indicate so by checking the check mark on the left-hand side. (This will mark the question as answered, and give both of us some reputation points.)

0 Karma

MasterOogway
Communicator

The second line for alerting was SPOT ON....Now I understand how to assign Fields via a REX on the fly. In this case assigning 'port' coming after port-channel. Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...