Hi all,
I want to monitor critical Cisco ports status.
My goal would be to setup a list of critical ports using a csv file for example and to be alerted by splunk when a specific eventtype (port up or down) happens on a port matching my csv file...
Here is what i did for the moment :
1) created a lookup file (csv format) :
/splunk/splunk/etc/apps/search/lookups/cisco_lookup_interfaces.csv
with the following content :
hostname,interface,description
sw-XX-c3750-01,TenGigabitEthernet3/0/1,INTERCO 1
sw-ZZ-c3650-02,TenGigabitEthernet4/0/1,INTERCO 2
sw-YY-c6450-01,GigabitEthernet3/0/52,INTERCO 3
2) I created 2 eventtype (for port up and port down)
3) I then tryed to call it and create a search, but without success...
Any help would be very cool...
Nb : goal would be search and be alerted when an eventtype "PORT_UP" or "PORT_DOWN" is corresponding to a hostanme+interface contained in the csv file. output should display hostname + interface + description (fro mcsv file) and status : UP or DOWN
Thanks a lot for your help, i really don't understand lookup docs...
Florent
Here are some log extract :
Dec 10 15:43:10 host=sw-s4-c3750-01 program=117487 PID= facility=local7 level=notice : 169210: Dec 10 15:43:09.654: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/49, changed state to down
Oct 31 11:39:53 host=sw-s4-c3750-01 program=114136 PID= facility=local7 level=notice : 165942: Oct 31 11:39:53.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/49, changed state to up
your_search eventtype=PORT_DOWN OR eventtype=PORT_UP| lookup cisco_lookup_interfaces.csv host AS hostname | eval status = case(eventtype=="PORT_DOWN","DOWN",eventtype=="PORT_UP","UP",1=1,"UNK") | table hostname interface description status
This might get you close, without testing you may need to adjust the case statement to work.
...|lookup cisco_lookup host AS hostname interface |...
i get a result with (but not what is exactly wanted) :
index="index_de_syslog_net" eventtype="CISCO - INT *"| rex field=_raw "Interface\s(?
The ouptput is the table with :
hostname, interface, status, but nothing in description field .
Here is the error i get :
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table
Would you be able to provide some sample events for event type PORT_UP and PORT_DOWN? What all fields are already available when you search 'eventtype="PORT_UP"' OR 'eventtype="PORT_DOWN"'?