Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an alert with multiple conditions for EIGRP Adjacency Changes?

mjshoaf
New Member
‎09-16-2015 02:17 PM

I'm configuring an alert for changes in EIGRP neighbor adjacency. I've configured a field extraction that defines the fields:
eigrp_interface
eigrp_neighbor
eigrp_state

I'm using the transaction command to correlate the "down" and "up" messages for a given host, interface, and neighbor.

The alert has multiple conditions. Here's the logic:

IF the transaction isn't closed (i.e., no "up" message received) and the state is "down" --> Alert
IF the transaction is closed and the duration (i.e, the downtime) was greater than 30 seconds --> Alert

Here's the search string:

index=network NBRCHANGE  | transaction host eigrp_interface eigrp_neighbor startswith=eigrp_state="down" endswith=eigrp_state="up" keepevicted=true  | eval eigrp_alert=if((closed_txn=0 AND eigrp_state="down") OR (closed_txn=1 AND duration>30),1,0)  | search eigrp_alert=1

This works. I want to add one more condition to the alert if an interface is "flapping". In other words, if more than x "down" messages are seen for the same neighbor within a period of time, alert. I can't figure out how to add this logic.

0 Karma
Reply

keshavgupta
Engager
‎04-23-2021 12:48 AM

Yes, even am facing same issue, if same messages are repeating the above shared by the mjshoaf that query will not work.
 

Have you fixed that issue. Please help.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎10-01-2015 12:32 PM

You might want to try and do an eval for your state:

index=network NBRCHANGE |stats count(eval(eigrp_state=="down")) AS DOWN, count(eval(eigrp_state=="up")) AS UP by eigrp_interface | where down > 5

I hope that helps and gets you closer to your answer.

0 Karma
Reply

emotz
Splunk Employee
Splunk Employee
‎10-01-2015 12:29 PM

First, how often do you run the alerting search? Over what time range? You might want to add maxspan=2m to your transaction to limit the amount of time taken for the search. How many devices are you searching across? What is the total time range for the transaction search?

Second, you might just want another search to look for flapping that does a sourcetype=router down | stats count by host and alert when count > 20 over a 2 min window or something like that. You could even break it down by port as well and then map mac address to IP and know which link is having problems.

0 Karma
Reply

mjshoaf
New Member
‎10-02-2015 11:56 AM

The search will run every 5 minutes. There are probably around 2,000 devices in the "network" index. What do you mean by the total time range for the transaction search?

I think the suggestion for a second search is probably the best way on this.

0 Karma
Reply

emotz
Splunk Employee
Splunk Employee
‎10-06-2015 09:36 AM

every 5 min is what i was looking for. Has the second search worked out? Hope it is all working for you now.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top