All Apps and Add-ons
Highlighted

How to create an alert if a switch is disabled for more than 10 min?

Engager

Hi all,

I am currently working on creating an alert to notify if the status of a switch is disable for more than 10 min, common scenario is that switches disconnect for a min and would be back to running, we would only like to target the ones whose status remains disconnected for more than 10 min.

Below is the sample log:

Apr 18 07:46:25 hostname tag=abc CEF:0Agent status changed|Status of agent "name" at IP "ip address" (id=10,0) changed from running to disabled
Apr 11 07:50:10 hostname tag=abc CEF:0Agent status changed|Status of agent "name" at IP "ip address" (id=10,0) changed from disabled to Running
Tags (2)
0 Karma
Highlighted

Re: How to create an alert if a switch is disabled for more than 10 min?

Esteemed Legend

Like this:

...
| rex "changed from (?<transition>.*)"
| streamstats count(eval(transition="disabled to Running")) AS sessionID BY host
| stats first(_time) AS _time count dc(transition) AS transitionCount values(transition) AS transition BY sessionID host
| where transitionCount==1 AND transition="running to disabled" AND _time <= relative_time(now(), "-10m")
0 Karma