Below are some of my SNMP based alerting I got. While comparing those parameter am not getting the expected output. seeing output with OTHER in status.
Below are the key messages i will get with the device names.
uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff
Status >
jnxFruOnline : Online
jnxFruOffline : Offline
jnxFruRemoval : Removed
jnxFruInsertion : Inserted
jnxFruPowerOn : Powered On
jnxFruPowerOff : Powered Off
index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
| rex "jnxFruName=(?<FRU>.*)"
| eval Status=case(FRU=="jnxFruOnline", "UP", FRU=="jnxFruOffline", "DOWN", 1=1, "Other")
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST
| table nodelabel Status FRU Time_CST
Output >
nodelabel Status FRU Time_CST
USDALIGW-LANOBA010 Other Power Supply: Power Supply 1 @ 5/1/* 01/23/20 07:22:14
USHCO01-LANDCO001 Other Routing Engine 1 01/23/20 06:00:35
CASYH-WANRTC001 Other MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 01/21/20 12:00:30
AUMEL-LANDC3001 Other Power Supply 0 @ 4/0/* 01/19/20 15:45:01
I want that Status to be mentioned in the output (whichever the latest status should be displayed.)
please help me in this.
UPDATE:
| makeresults
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
jnxFruPowerOn trap received
jnxFruContentsIndex=20
jnxFruL1Index=2
jnxFruL2Index=1
jnxFruL3Index=0
jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*
jnxFruType=11
jnxFruSlot=1
jnxFruOfflineReason=2
jnxFruLastPowerOff=0
jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST
How about this? your timezone is CST, but log's timezone is UTC.
I considered it.
your sample check:
| makeresults
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff"
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
| rex field=FRU "jnxFru(?<Status>.+)"
recommend:
index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
| rex field=FRU "jnxFru(?<Status>.+)"
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST
| table nodelabel Status FRU Time_CST
What' s this Power Supply: Power Supply 1 @ 5/1/*
?
UPDATE:
| makeresults
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
jnxFruPowerOn trap received
jnxFruContentsIndex=20
jnxFruL1Index=2
jnxFruL2Index=1
jnxFruL3Index=0
jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*
jnxFruType=11
jnxFruSlot=1
jnxFruOfflineReason=2
jnxFruLastPowerOff=0
jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST
How about this? your timezone is CST, but log's timezone is UTC.
I considered it.
your sample check:
| makeresults
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff"
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
| rex field=FRU "jnxFru(?<Status>.+)"
recommend:
index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
| rex field=FRU "jnxFru(?<Status>.+)"
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST
| table nodelabel Status FRU Time_CST
What' s this Power Supply: Power Supply 1 @ 5/1/*
?
Thanks for the code, below is the output.
nodelabel Status FRU Time_CST
USEMCLB-LANCD3001 PowerOn jnxFruPowerOn 01/25/20 20:11:21
USEMCLB-LANCD3002 PowerOn jnxFruPowerOn 01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn jnxFruPowerOn 01/25/20 15:59:45
But I want the FRU to be replaced with the rex output.
rex "jnxFruName=(?<FRU>.*)"
Expected output
nodelabel Status FRU Time_CST
USEMCLB-LANCD3001 PowerOn FPC: MPC @ 1/*/* 01/25/20 20:11:21
USEMCLB-LANCD3002 PowerOn FPC: EX4500-40F @ 5/*/* 01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn CB 1 01/25/20 15:59:45
RAW input:
2020-01-25 21:59:45.716, eventid="445467848", eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn", nodeid="676", eventtime="2020-01-25 21:59:45.716+00", ipaddr="172.23.222.196", eventlogmsg="<p>
jnxFruPowerOn trap received
jnxFruContentsIndex=20
jnxFruL1Index=2
jnxFruL2Index=1
jnxFruL3Index=0
jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*
jnxFruType=11
jnxFruSlot=1
jnxFruOfflineReason=2
jnxFruLastPowerOff=0
jnxFruLastPowerOn=0</p>", eventseverity="3", alarmid="24629858", nodelabel="BRCTB-WANRTC001"
hi, @jerinvarghese
my answer is updated. please confirm.