I have set up a Cisco BGP syslog alert from Splunk. The BGP down event triggers correctly with all indexed data. See screenshot below:
But the Up message shows up with now indexed data in fast-mode:
If you view the message on the "up message", all data was indexed correctly in verbose mode, but not in fast-mode. How can I set up and alert in display the alert with verbose mode data?
Give this query a try (in verbose mode)
tag=ROUTING facility=BGP Neighbor_IP=* Interface=* Descript=* State=* | table _time host facility Neighbor_IP Interface Descript State
Try that, still only received "down" event. the BGP up event never trigger
Not sound contrite, but did you click on the down arrow next to the fast mode to see if verbose was an option?
Ernie.
yes, I did select it as verbose mode when create the search, but the output came back from alert is in Fast-mode.
Did you happen to save the search after setting verbose?
I set it to verbose mode before I save the search.