I'm trying to display a dashboard of all current alarms in my Cisco UCS environment. I'm having trouble comparing events to test if the event was cleared or if it's still active. I can only determine this if I get an event that indicates an alarm was triggered and an event that indicates that alarm was cleared. I need to match multiple fields to make sure I'm comparing apples to apples and dismiss the alarms that have already cleared. Here's where I'm stuck at:
index=cisco-ucs source=cisco:ucs:faultInst ((highestSeverity="critical" AND severity="critical") OR (highestSeverity="critical" AND severity="cleared"))
| eval alarm1_Severity=if((highestSeverity="critical" AND severity="critical"), severity, null())
| eval alarm1_Time=if((highestSeverity="critical" AND severity="critical"), lastTransition, null())
| eval alarm2_Severity=if((highestSeverity="critical" AND severity="cleared"), severity, null())
| eval alarm2_Time=if((highestSeverity="critical" AND severity="cleared"), lastTransition, null())
| transaction fields="dn" maxspan=1s
| eval alarmCleared=if(alarm1_Time<alarm2_Time, "Cleared", "Active")
| search alarmCleared="Active"
Sample events:
created="2019-11-03T04:29:42.320",tags="server",dn="sys/rack-unit-10/health-led/fault-F1236",rule="equipment-health-led-critical-error",origSeverity="critical",prevSeverity="critical",occur="1",ack="no",lastTransition="2019-11-03T05:16:49.211",highestSeverity="critical",lc="",descr="sys/rack-unit-10/health-led shows error. Reason FP_TEMP_SENSOR:Temperature Threshold Crossed; ",severity="cleared",type="equipment",id="15490158",cause="health-led-amber-blinking",code="F1236",changeSet="",site="",system_name="MYHOST",address="10.2.1.120"
created="2019-11-03T04:29:42.320",tags="server",dn="sys/rack-unit-10/health-led/fault-F1236",rule="equipment-health-led-critical-error",origSeverity="critical",prevSeverity="critical",occur="1",ack="no",lastTransition="2019-11-03T04:29:42.320",highestSeverity="critical",lc="",descr="sys/rack-unit-10/health-led shows error. Reason FP_TEMP_SENSOR:Temperature Threshold Crossed; ",severity="critical",type="equipment",id="15490158",cause="health-led-amber-blinking",code="F1236",changeSet="",site="",system_name="MYHOST",address="10.2.1.120"
