Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a search to find if a switch interface is down, then trigger an alert only if the interface is not running

Mohanveera1
Explorer
‎11-03-2022 03:38 AM

Hi Splunk Experts,

I tried to create the search but can't be successful in it, I need a search, if in case the interface of an Cisco switch is down and doesn't came to up state within 5 minutes it should throw an alert. The logs are as below screenshot. I tried to write the query only for one scenario i.e if the switch status changed state to down i can get the alert but i can't merge the both message fields back to back.

Required Alert scenario:

when first log containing the message field with changed state to down appears and within 5 minutes the next log containing the message field with changed state to up doesn't appear then i must get an alert.

 

Mohanveera1_0-1667470543576.png

 

Thanks in advance.....

 

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 05:43 AM

Alerts can't wait to see what will happen in the next few minutes.  They only look at what happened in the past.  This problem typically is solved by looking for the most recent event from each device.  If it's a "down" event and it's been at least 5 minutes then trigger an alert.

index=cisco_switch sourcetype=syslog:cswitch (message="changed state to down" OR message="changed state to up")
```Get the most recent event for each device```
| dedup device_IP
```Keep only down devices at least 5 minutes old```
| where (message="change state to down" AND _time<=relative_time(now(), "-5m"))
| table _time device_IP

Set the alert to trigger is the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...