Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alerting depending on data match from a lookup of a file content

fgilain
Engager
‎01-07-2014 06:55 AM

Hi all,

I want to monitor critical Cisco ports status.
My goal would be to setup a list of critical ports using a csv file for example and to be alerted by splunk when a specific eventtype (port up or down) happens on a port matching my csv file...

Here is what i did for the moment :

1) created a lookup file (csv format) :
/splunk/splunk/etc/apps/search/lookups/cisco_lookup_interfaces.csv

with the following content :
hostname,interface,description
sw-XX-c3750-01,TenGigabitEthernet3/0/1,INTERCO 1
sw-ZZ-c3650-02,TenGigabitEthernet4/0/1,INTERCO 2
sw-YY-c6450-01,GigabitEthernet3/0/52,INTERCO 3

2) I created 2 eventtype (for port up and port down)

3) I then tryed to call it and create a search, but without success...

Any help would be very cool...

Nb : goal would be search and be alerted when an eventtype "PORT_UP" or "PORT_DOWN" is corresponding to a hostanme+interface contained in the csv file. output should display hostname + interface + description (fro mcsv file) and status : UP or DOWN

Thanks a lot for your help, i really don't understand lookup docs...

Florent

Tags (1)
0 Karma
Reply

fgilain
Engager
‎01-07-2014 01:28 PM

Here are some log extract :

Dec 10 15:43:10 host=sw-s4-c3750-01 program=117487 PID= facility=local7 level=notice : 169210: Dec 10 15:43:09.654: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/49, changed state to down

Oct 31 11:39:53 host=sw-s4-c3750-01 program=114136 PID= facility=local7 level=notice : 165942: Oct 31 11:39:53.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/49, changed state to up

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-07-2014 07:42 AM 
your_search eventtype=PORT_DOWN OR eventtype=PORT_UP| lookup cisco_lookup_interfaces.csv host AS hostname | eval status = case(eventtype=="PORT_DOWN","DOWN",eventtype=="PORT_UP","UP",1=1,"UNK") | table hostname interface description status

This might get you close, without testing you may need to adjust the case statement to work.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-07-2014 02:13 PM

...|lookup cisco_lookup host AS hostname interface |...

0 Karma
Reply

fgilain
Engager
‎01-07-2014 02:08 PM

i get a result with (but not what is exactly wanted) :
index="index_de_syslog_net" eventtype="CISCO - INT *"| rex field=_raw "Interface\s(?\S+), changed state *" | lookup cisco_lookup_interfaces.csv hostname AS hostname | eval status = case(eventtype=="CISCO - INT DOWN","DOWN",eventtype=="CISCO - INT UP","UP",1=1,"UNK") | table host interface status description

The ouptput is the table with :
hostname, interface, status, but nothing in description field .

  • what i really need to match is 2 fields : hostname+interface of my csv, not only the hostname.
0 Karma
Reply

fgilain
Engager
‎01-07-2014 01:41 PM

Here is the error i get :

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table

0 Karma
Reply

somesoni2
Revered Legend
‎01-07-2014 07:23 AM

Would you be able to provide some sample events for event type PORT_UP and PORT_DOWN? What all fields are already available when you search 'eventtype="PORT_UP"' OR 'eventtype="PORT_DOWN"'?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...