Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Create an alert (Splunk query) for different nodes where if the status of the node goes down and doesn't come up within 1 hour then an alert should trigger.

Inayath_khan
Path Finder
‎02-12-2020 12:14 AM

Hi Guys,

I am Just creating a rule for a switch for multiple nodes where if the status of the switch goes down and doesn't comes up within an hour then it has to be triggered. But also if you see logs the status is getting up within a fraction of sec so i just want to put a threshold of 1 hour. Kindly help me on forming the Splunk query.

2019-12-02T17:25:38.448Z x.x.x.x <45>12376292: 12377249: *Dec 2 18:14:15.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

2019-12-02T17:25:38.448Z x.x.x.x <45>12376291: 12377248: *Dec 2 18:14:15.101: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down

Thanks in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-21-2020 02:39 AM 
index=* Interface changed state to down 
|rex ".*Interface\s(?<interface>[\S]+),"
|rex ".*state\s+to\s+(?<vendor_action[\S]+)" 
| table _time,src_interface,vendor_action
| reverse
| streamstats count(eval(status="down")) as session by interface
| streamstats count(eval(status="start")) as start by session interface
| where start < 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-21-2020 02:39 AM 
index=* Interface changed state to down 
|rex ".*Interface\s(?<interface>[\S]+),"
|rex ".*state\s+to\s+(?<vendor_action[\S]+)" 
| table _time,src_interface,vendor_action
| reverse
| streamstats count(eval(status="down")) as session by interface
| streamstats count(eval(status="start")) as start by session interface
| where start < 1
0 Karma
Reply
Solved! Jump to solution

Inayath_khan
Path Finder
‎02-26-2020 08:07 AM

Thanks @to4kawa it dint work. The status of an interface is getting up within 30 sec. I want a query that will trigger if status of the port is down for an interface for more than an hour and it's not up. Can we do some kind time comparision??

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-26-2020 11:47 AM

within 1 hour then an alert should trigger. is your question.
if status of the port is down for an interface for more than an hour and it's not up. is your comment and the reason not to accept
I create for your question. not to your problem. sorry.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-12-2020 01:46 AM

what's your field extractions?

0 Karma
Reply
Solved! Jump to solution

Inayath_khan
Path Finder
‎02-21-2020 02:15 AM

Hi @to4kawa this is my extraction,

index=* Interface changed state to down |rex ".*Interface\s(?[\S]+),"|rex ".*state\s+to\s+(?[\S]+)" | table _time,src_interface,vendor_action

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...