topic Re: Need help in comparing some events and providing the desired values set for each keyword. in Alerting

Need help in comparing some events and providing the desired values set for each keyword.

jerinvarghese — Thu, 23 Jan 2020 14:37:38 GMT

Below are some of my SNMP based alerting I got. While comparing those parameter am not getting the expected output. seeing output with OTHER in status.

Below are the key messages i will get with the device names.

uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff

Status >
jnxFruOnline : Online
jnxFruOffline : Offline
jnxFruRemoval : Removed
jnxFruInsertion : Inserted
jnxFruPowerOn : Powered On
jnxFruPowerOff : Powered Off

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
|  rex "jnxFruName=(?<FRU>.*)"
| eval Status=case(FRU=="jnxFruOnline", "UP", FRU=="jnxFruOffline", "DOWN", 1=1, "Other")
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

Output >

nodelabel   Status  FRU Time_CST
USDALIGW-LANOBA010  Other   Power Supply: Power Supply 1 @ 5/1/*    01/23/20 07:22:14
USHCO01-LANDCO001   Other   Routing Engine 1    01/23/20 06:00:35
CASYH-WANRTC001 Other   MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*    01/21/20 12:00:30
AUMEL-LANDC3001 Other   Power Supply 0 @ 4/0/*  01/19/20 15:45:01

I want that Status to be mentioned in the output (whichever the latest status should be displayed.)

please help me in this.

Re: Need help in comparing some events and providing the desired values set for each keyword.

to4kawa — Thu, 23 Jan 2020 18:23:12 GMT

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.

your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

Re: Need help in comparing some events and providing the desired values set for each keyword.

jerinvarghese — Tue, 28 Jan 2020 09:38:15 GMT

Thanks for the code, below is the output.

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn jnxFruPowerOn   01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn jnxFruPowerOn   01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn jnxFruPowerOn   01/25/20 15:59:45

But I want the FRU to be replaced with the rex output.

rex "jnxFruName=(?<FRU>.*)"

Expected output

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn FPC: MPC @ 1/*/*    01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn FPC: EX4500-40F @ 5/*/* 01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn CB 1    01/25/20 15:59:45

RAW input:

2020-01-25 21:59:45.716, eventid="445467848", eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn", nodeid="676", eventtime="2020-01-25 21:59:45.716+00", ipaddr="172.23.222.196", eventlogmsg="<p>
            jnxFruPowerOn trap received 
            jnxFruContentsIndex=20 
            jnxFruL1Index=2 
            jnxFruL2Index=1 
            jnxFruL3Index=0 
            jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
            jnxFruType=11 
            jnxFruSlot=1 
            jnxFruOfflineReason=2 
            jnxFruLastPowerOff=0 
            jnxFruLastPowerOn=0</p>", eventseverity="3", alarmid="24629858", nodelabel="BRCTB-WANRTC001"

Re: Need help in comparing some events and providing the desired values set for each keyword.

to4kawa — Tue, 28 Jan 2020 13:29:55 GMT

hi, @jerinvarghese
my answer is updated. please confirm.