Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help in comparing some events and providing the desired values set for each keyword.

jerinvarghese
Communicator
‎01-23-2020 06:37 AM

Below are some of my SNMP based alerting I got. While comparing those parameter am not getting the expected output. seeing output with OTHER in status.

Below are the key messages i will get with the device names.

uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff

Status >
jnxFruOnline : Online
jnxFruOffline : Offline
jnxFruRemoval : Removed
jnxFruInsertion : Inserted
jnxFruPowerOn : Powered On
jnxFruPowerOff : Powered Off

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
|  rex "jnxFruName=(?<FRU>.*)"
| eval Status=case(FRU=="jnxFruOnline", "UP", FRU=="jnxFruOffline", "DOWN", 1=1, "Other")
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

Output >

nodelabel   Status  FRU Time_CST
USDALIGW-LANOBA010  Other   Power Supply: Power Supply 1 @ 5/1/*    01/23/20 07:22:14
USHCO01-LANDCO001   Other   Routing Engine 1    01/23/20 06:00:35
CASYH-WANRTC001 Other   MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*    01/21/20 12:00:30
AUMEL-LANDC3001 Other   Power Supply 0 @ 4/0/*  01/19/20 15:45:01

I want that Status to be mentioned in the output (whichever the latest status should be displayed.)

please help me in this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-23-2020 10:23 AM

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.

your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-23-2020 10:23 AM

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.

your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎01-28-2020 01:38 AM

Thanks for the code, below is the output.

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn jnxFruPowerOn   01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn jnxFruPowerOn   01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn jnxFruPowerOn   01/25/20 15:59:45

But I want the FRU to be replaced with the rex output.

rex "jnxFruName=(?<FRU>.*)"

Expected output

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn FPC: MPC @ 1/*/*    01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn FPC: EX4500-40F @ 5/*/* 01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn CB 1    01/25/20 15:59:45

RAW input: 

2020-01-25 21:59:45.716, eventid="445467848", eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn", nodeid="676", eventtime="2020-01-25 21:59:45.716+00", ipaddr="172.23.222.196", eventlogmsg="<p>
            jnxFruPowerOn trap received 
            jnxFruContentsIndex=20 
            jnxFruL1Index=2 
            jnxFruL2Index=1 
            jnxFruL3Index=0 
            jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
            jnxFruType=11 
            jnxFruSlot=1 
            jnxFruOfflineReason=2 
            jnxFruLastPowerOff=0 
            jnxFruLastPowerOn=0</p>", eventseverity="3", alarmid="24629858", nodelabel="BRCTB-WANRTC001"
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-28-2020 05:29 AM

hi, @jerinvarghese
my answer is updated. please confirm.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...