I need to set up an alert to email us when a Cisco switch looses a power supply.
Please help!
Try this search.
index=foo sourcetype=bar "Power Supply * powered off"
When it completes, click "Save As" and choose Alert. Give the alert a name then select "Send email" from the Trigger Actions dropdown. Enter the recipients of the email in the To box and adjust the Subject and Message fields as desired. I recommend unselecting the "Link to..." boxes and selecting "Inline". Click Save and you're done.
Thanks to all for your help.
hello there,
considering the data above and the requirement to alert when power is off, you can capture the string "powered off" in search and when you save as alert, the condition will be if "number of results is greater than 0"
run a search like this:
index = <YOURINDEX> sourcetype = <YOURSOURCETYPE> "powered off"
save as an alerts - > click in "save as" (top right corner) -> "alert" -> fill the forms -> set the schedule
hope it helps
Try this search.
index=foo sourcetype=bar "Power Supply * powered off"
When it completes, click "Save As" and choose Alert. Give the alert a name then select "Send email" from the Trigger Actions dropdown. Enter the recipients of the email in the To box and adjust the Subject and Message fields as desired. I recommend unselecting the "Link to..." boxes and selecting "Inline". Click Save and you're done.
Thanks! I ran the search and it returned no results in "all time" as the condition.
If you had a powered off event on 18 Feb then a search over All Time should not return no results. What was your search?
Unfortunately the fault is on the Cisco side. I need to modify the logging level which I will tomorrow. Turns oul level 6 and 7 events are not being forwarded to splunk
So far This is what I could find from the cisco logs;
Feb 18 15:37:08.861: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 2 inserted but powered off
Feb 18 15:39:39.071: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 2 powered on
Feb 18 15:41:38.929: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi1/0/8, operational port trust state is now untrusted.
Feb 18 15:42:28.307: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/8, port's configured trust state is now operational.
Feb 18 15:49:11.888: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 1 powered off
Feb 18 15:49:13.241: %PLATFORM_ENV-1-FAN_NOT_PRESENT: Fan is not present
Feb 18 15:49:30.078: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 1 powered on
This shows events where the power supply was removed and replaced due to maintenance. This switch feeds data to splunk. How do I pipe a search that will allow me to generate an alert please!
I think both answers below get what you need. I would most likely do some regex for the Powered off and on and then where off send an alert.
As mentioned below, once you get your search results as needed, then you can do a Save As Alert and put it in real time so you get the alert when it occurs.
I hope this helps. Let us know if you need more info.
I will look into it
I am a bit of a noob and would appreciate more details
Hi gregdoma, my guess is in the logs you may have an event that states a stop or a start of service, assuming the log is written to and provided in a power loss event. In doing some google searches on Cisco power loss I do see some events on start up but not sure about a loss.
@jodyfsu makes a good point. If your device (you didn't say what it is) has a single power supply then losing it most likely will not result in a Splunk event since the device will have lost its ability to communicate (or function entirely). A device with multiple power supplies should report the loss of one of them.
My answer was about as detailed as the question. 😉 Since I can't see your data it's hard to be more specific. Talk to a local expert about how Cisco lets you know about a power supply loss. Once you have that information you'll have an idea of what to search for.
How does the loss of a Cisco power supply show up in Splunk? Create a search for the event, then select "Alert" from the "Save As" dropdown.