Alerting

Need help in comparing some events and providing the desired values set for each keyword.

jerinvarghese
Communicator

Below are some of my SNMP based alerting I got. While comparing those parameter am not getting the expected output. seeing output with OTHER in status.

Below are the key messages i will get with the device names.

uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff

Status >
jnxFruOnline : Online
jnxFruOffline : Offline
jnxFruRemoval : Removed
jnxFruInsertion : Inserted
jnxFruPowerOn : Powered On
jnxFruPowerOff : Powered Off

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*"
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)"
|  rex "jnxFruName=(?<FRU>.*)"
| eval Status=case(FRU=="jnxFruOnline", "UP", FRU=="jnxFruOffline", "DOWN", 1=1, "Other")
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

Output >

nodelabel   Status  FRU Time_CST
USDALIGW-LANOBA010  Other   Power Supply: Power Supply 1 @ 5/1/*    01/23/20 07:22:14
USHCO01-LANDCO001   Other   Routing Engine 1    01/23/20 06:00:35
CASYH-WANRTC001 Other   MIC: 3D 20x 1GE(LAN) SFP @ 1/0/*    01/21/20 12:00:30
AUMEL-LANDC3001 Other   Power Supply 0 @ 4/0/*  01/19/20 15:45:01

I want that Status to be mentioned in the output (whichever the latest status should be displayed.)

please help me in this.

0 Karma
1 Solution

to4kawa
Ultra Champion

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.


your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

View solution in original post

0 Karma

to4kawa
Ultra Champion

UPDATE:

| makeresults 
| eval _raw="2020-01-25 21:59:45.716, eventid=\"445467848\", eventuei=\"uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn\", nodeid=\"676\", eventtime=\"2020-01-25 21:59:45.716+00\", ipaddr=\"172.23.222.196\", eventlogmsg=\"<p>
             jnxFruPowerOn trap received 
             jnxFruContentsIndex=20 
             jnxFruL1Index=2 
             jnxFruL2Index=1 
             jnxFruL3Index=0 
             jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
             jnxFruType=11 
             jnxFruSlot=1 
             jnxFruOfflineReason=2 
             jnxFruLastPowerOff=0 
             jnxFruLastPowerOn=0</p>\", eventseverity=\"3\", alarmid=\"24629858\", nodelabel=\"BRCTB-WANRTC001\""
`comment("this is your sample log, from here, the logic")`
| eval _raw=replace(_raw,"(?m)=(.+)","=\"\1\"")
| kv
| eval _time=strptime(eventtime,"%F %T.%3Q+%::z")
| eval Time_CST=_time
| fieldformat Time_CST=strftime(Time_CST,"%m/%d/%y %T")
| eval FRU=substr(mvindex(split(eventuei,"/"),-1),7)
| table nodelabel FRU jnxFruName Time_CST

How about this? your timezone is CST, but log's timezone is UTC.
I considered it.


your sample check:

| makeresults 
| eval _raw="uei.opennms.org/vendor/Juniper/traps/jnxFruOnline
uei.opennms.org/vendor/Juniper/traps/jnxFruOffline
uei.opennms.org/vendor/Juniper/traps/jnxFruRemoval
uei.opennms.org/vendor/Juniper/traps/jnxFruInsertion
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn
uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOff" 
| makemv delim="
" _raw
| stats count by _raw
| rex "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"

recommend:

index=opennms eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFru*" 
| rex field=eventuei "uei.opennms.org/vendor/Juniper/traps/(?<FRU>.+)" 
| rex field=FRU "jnxFru(?<Status>.+)"    
| rename _time as Time_CST 
| fieldformat Time_CST=strftime(Time_CST,"%x %X") 
| dedup nodelabel sortby - Time_CST 
| table nodelabel Status FRU Time_CST

What' s this Power Supply: Power Supply 1 @ 5/1/* ?

0 Karma

jerinvarghese
Communicator

Thanks for the code, below is the output.

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn jnxFruPowerOn   01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn jnxFruPowerOn   01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn jnxFruPowerOn   01/25/20 15:59:45

But I want the FRU to be replaced with the rex output.

rex "jnxFruName=(?<FRU>.*)"

Expected output

nodelabel   Status  FRU Time_CST
USEMCLB-LANCD3001   PowerOn FPC: MPC @ 1/*/*    01/25/20 20:11:21
USEMCLB-LANCD3002   PowerOn FPC: EX4500-40F @ 5/*/* 01/25/20 20:11:11
BRCTB-WANRTC001 PowerOn CB 1    01/25/20 15:59:45

RAW input:

2020-01-25 21:59:45.716, eventid="445467848", eventuei="uei.opennms.org/vendor/Juniper/traps/jnxFruPowerOn", nodeid="676", eventtime="2020-01-25 21:59:45.716+00", ipaddr="172.23.222.196", eventlogmsg="<p>
            jnxFruPowerOn trap received 
            jnxFruContentsIndex=20 
            jnxFruL1Index=2 
            jnxFruL2Index=1 
            jnxFruL3Index=0 
            jnxFruName=MIC: 3D 20x 1GE(LAN) SFP @ 1/0/* 
            jnxFruType=11 
            jnxFruSlot=1 
            jnxFruOfflineReason=2 
            jnxFruLastPowerOff=0 
            jnxFruLastPowerOn=0</p>", eventseverity="3", alarmid="24629858", nodelabel="BRCTB-WANRTC001"
0 Karma

to4kawa
Ultra Champion

hi, @jerinvarghese
my answer is updated. please confirm.

0 Karma
Get Updates on the Splunk Community!

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...