Re: How to set up an alert to display the results ...

kzhang201 · ‎07-26-2016

I have set up a Cisco BGP syslog alert from Splunk. The BGP down event triggers correctly with all indexed data. See screenshot below:

But the Up message shows up with now indexed data in fast-mode:

If you view the message on the "up message", all data was indexed correctly in verbose mode, but not in fast-mode. How can I set up and alert in display the alert with verbose mode data?

somesoni2 · ‎07-26-2016

Give this query a try (in verbose mode)

tag=ROUTING facility=BGP Neighbor_IP=* Interface=* Descript=* State=* | table _time host facility Neighbor_IP Interface Descript State

kzhang201 · ‎07-27-2016

Try that, still only received "down" event. the BGP up event never trigger

ECovell · ‎07-26-2016

Not sound contrite, but did you click on the down arrow next to the fast mode to see if verbose was an option?

Ernie.

kzhang201 · ‎07-26-2016

yes, I did select it as verbose mode when create the search, but the output came back from alert is in Fast-mode.

ECovell · ‎07-26-2016

Did you happen to save the search after setting verbose?

kzhang201 · ‎07-26-2016

I set it to verbose mode before I save the search.

How to set up an alert to display the results with verbose mode data, not fast mode?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to set up an alert to display the results with verbose mode data, not fast mode?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!