https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381535#M24954 <P>i think its working , thanks a heap for this , i will test it for next 24hours to verify</P> Sun, 11 Nov 2018 09:50:43 GMT saadi381 2018-11-11T09:50:43Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381531#M24950 <P>Hi</P> <P>Apologies if this has been asked before.</P> <P>So here is what i am trying to achieve </P> <OL> <LI>Catch the log and create an event like when bgp goes down (easy can search and filter them out)</LI> <LI>Catch the log and create if above event is clear , will get a log message with status Up </LI> <LI>Correlate both events</LI> <LI>Display in a dashboard when event happened and keep it there unless the clear event is not received </LI> </OL> <P>So basically a dashboard where i can see when bgp goes down and if it is down , if restored the event to disappear from dashboard. </P> <P>Not sure if possible in Splunk and how to do it</P> <P>Here are sample logs which i need to correlate</P> <PRE><CODE>Nov 11 15:39:05 hostanme1 - RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 192.168.200.146 (External AS 12345) changed state from Established to Idle (event HoldTime) (instance vrf-1234) </CODE></PRE> <P>After above log i need to display an event in dashboard</P> <PRE><CODE>Nov 11 15:43:00 hostanme1 - RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 192.168.200.146 (External AS 12345) changed state from OpenConfirm to Established (event RecvKeepAlive) (instance vrf-1234) </CODE></PRE> <P>After above log i want to clear the event </P> Sat, 10 Nov 2018 22:21:29 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381531#M24950 saadi381 2018-11-10T22:21:29Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381532#M24951 <P>@saadi381,</P> <P>Its possible. Do you have a unique field in both events to correlate them (router id or something)? Would be helpful if you could provide some sample events (mask any confidential data). Also how do you want to represent in the dashboard? Just as events or some status indicator?</P> Sun, 11 Nov 2018 06:27:12 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381532#M24951 renjith_nair 2018-11-11T06:27:12Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381533#M24952 <P>added sample logs</P> Sun, 11 Nov 2018 06:43:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381533#M24952 saadi381 2018-11-11T06:43:32Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381534#M24953 <P>@saadi381,</P> <P>Assuming IP can be used to correlate the events, give this a try</P> <PRE><CODE>"your base search" |rex field=_raw "BGP peer (?&lt;IP&gt;\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" |rex field=_raw "from \w+\sto\s(?&lt;status&gt;\w+)" |stats count,latest(_raw) as _raw,latest(status) as Status by IP |where count&lt;2 AND Status!="Established" </CODE></PRE> <P>This should leave with only idle IPs. Test it by removing the last <CODE>where</CODE> clause.</P> Sun, 11 Nov 2018 07:47:44 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381534#M24953 renjith_nair 2018-11-11T07:47:44Z https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381535#M24954 <P>i think its working , thanks a heap for this , i will test it for next 24hours to verify</P> Sun, 11 Nov 2018 09:50:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-create-a-dashboard-by-event-correlation/m-p/381535#M24954 saadi381 2018-11-11T09:50:43Z