Alerting

Need help in comparing some events and providing the desired values set for each keyword.

jerinvarghese
Communicator

Below are some of my SNMP based alerting I got. While comparing those parameter am not getting the expected output. seeing output with OTHER in status.

Below are the key messages i will get with the device names.

uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff

Status >
jnxFruOnline : Online
jnxFruOffline : Offline
jnxFruRemoval : Removed
jnxFruInsertion : Inserted
jnxFruPowerOn : Powered On
jnxFruPowerOff : Powered Off

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
|  rex "jnxFruName=(?<FRU>.*)"
| eval Status=case(FRU=="jnxFruOnline", "UP", FRU=="jnxFruOffline", "DOWN", 1=1, "Other")
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

Output >

nodelabel   Status  FRU Time_CST
USDALIGW-LANOBA010  Other   Power Supply: Power Supply 1 @ 5/1/*    01/23/20 07:22:14
USHCO01-LANDCO001   Other   Routing Engine 1    01/23/20 06:00:35
CASYH-WANRTC001 Other   MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*    01/21/20 12:00:30
AUMEL-LANDC3001 Other   Power Supply 0 @ 4/0/*  01/19/20 15:45:01

I want that Status to be mentioned in the output (whichever the latest status should be displayed.)

please help me in this.

0 Karma
1 Solution

to4kawa
Ultra Champion

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.


your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

View solution in original post

0 Karma

to4kawa
Ultra Champion

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.


your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

0 Karma

jerinvarghese
Communicator

Thanks for the code, below is the output.

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn jnxFruPowerOn   01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn jnxFruPowerOn   01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn jnxFruPowerOn   01/25/20 15:59:45

But I want the FRU to be replaced with the rex output.

rex "jnxFruName=(?<FRU>.*)"

Expected output

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn FPC: MPC @ 1/*/*    01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn FPC: EX4500-40F @ 5/*/* 01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn CB 1    01/25/20 15:59:45

RAW input:

2020-01-25 21:59:45.716, eventid="445467848", eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn", nodeid="676", eventtime="2020-01-25 21:59:45.716+00", ipaddr="172.23.222.196", eventlogmsg="<p>
            jnxFruPowerOn trap received 
            jnxFruContentsIndex=20 
            jnxFruL1Index=2 
            jnxFruL2Index=1 
            jnxFruL3Index=0 
            jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
            jnxFruType=11 
            jnxFruSlot=1 
            jnxFruOfflineReason=2 
            jnxFruLastPowerOff=0 
            jnxFruLastPowerOn=0</p>", eventseverity="3", alarmid="24629858", nodelabel="BRCTB-WANRTC001"
0 Karma

to4kawa
Ultra Champion

hi, @jerinvarghese
my answer is updated. please confirm.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...