Alerting

How to set up an alert to monitor power supplies on cisco switches?

New Member

I need to set up an alert to email us when a Cisco switch looses a power supply.

Please help!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this search.

index=foo sourcetype=bar "Power Supply * powered off"

When it completes, click "Save As" and choose Alert. Give the alert a name then select "Send email" from the Trigger Actions dropdown. Enter the recipients of the email in the To box and adjust the Subject and Message fields as desired. I recommend unselecting the "Link to..." boxes and selecting "Inline". Click Save and you're done.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

Thanks to all for your help.

0 Karma

SplunkTrust
SplunkTrust

hello there,

considering the data above and the requirement to alert when power is off, you can capture the string "powered off" in search and when you save as alert, the condition will be if "number of results is greater than 0"
run a search like this:

index = <YOURINDEX> sourcetype  = <YOURSOURCETYPE> "powered off"

save as an alerts - > click in "save as" (top right corner) -> "alert" -> fill the forms -> set the schedule

hope it helps

0 Karma

SplunkTrust
SplunkTrust

Try this search.

index=foo sourcetype=bar "Power Supply * powered off"

When it completes, click "Save As" and choose Alert. Give the alert a name then select "Send email" from the Trigger Actions dropdown. Enter the recipients of the email in the To box and adjust the Subject and Message fields as desired. I recommend unselecting the "Link to..." boxes and selecting "Inline". Click Save and you're done.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

Thanks! I ran the search and it returned no results in "all time" as the condition.

0 Karma

SplunkTrust
SplunkTrust

If you had a powered off event on 18 Feb then a search over All Time should not return no results. What was your search?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Unfortunately the fault is on the Cisco side. I need to modify the logging level which I will tomorrow. Turns oul level 6 and 7 events are not being forwarded to splunk

0 Karma

New Member

So far This is what I could find from the cisco logs;

Feb 18 15:37:08.861: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 2 inserted but powered off
Feb 18 15:39:39.071: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 2 powered on
Feb 18 15:41:38.929: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi1/0/8, operational port trust state is now untrusted.
Feb 18 15:42:28.307: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/8, port's configured trust state is now operational.
Feb 18 15:49:11.888: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 1 powered off
Feb 18 15:49:13.241: %PLATFORM_ENV-1-FAN_NOT_PRESENT: Fan is not present
Feb 18 15:49:30.078: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 1 powered on

This shows events where the power supply was removed and replaced due to maintenance. This switch feeds data to splunk. How do I pipe a search that will allow me to generate an alert please!

0 Karma

Path Finder

I think both answers below get what you need. I would most likely do some regex for the Powered off and on and then where off send an alert.

As mentioned below, once you get your search results as needed, then you can do a Save As Alert and put it in real time so you get the alert when it occurs.

I hope this helps. Let us know if you need more info.

0 Karma

New Member

I will look into it
I am a bit of a noob and would appreciate more details

0 Karma

Path Finder

Hi gregdoma, my guess is in the logs you may have an event that states a stop or a start of service, assuming the log is written to and provided in a power loss event. In doing some google searches on Cisco power loss I do see some events on start up but not sure about a loss.

0 Karma

SplunkTrust
SplunkTrust

@jodyfsu makes a good point. If your device (you didn't say what it is) has a single power supply then losing it most likely will not result in a Splunk event since the device will have lost its ability to communicate (or function entirely). A device with multiple power supplies should report the loss of one of them.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

My answer was about as detailed as the question. 😉 Since I can't see your data it's hard to be more specific. Talk to a local expert about how Cisco lets you know about a power supply loss. Once you have that information you'll have an idea of what to search for.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

How does the loss of a Cisco power supply show up in Splunk? Create a search for the event, then select "Alert" from the "Save As" dropdown.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!