- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Correlate received Up down Traps in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correlate received Up down Traps in Splunk
Looking for ideas on how to correlate between an updown trap event like the one shown below - would be nice to have the duration of the outage and how to correlate up/down from the same host
thx
2017-06-13 11:23:32 :
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10) 0:00:00.10 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12028.4.15.0.63 SNMPv2-SMI::enterprises.12028.4.15.1.101 = INTEGER: 2 SNMPv2-SMI::enterprises.12028.4.15.1.102 = INTEGER: 4 SNMPv2-SMI::enterprises.12028.4.15.1.103 = STRING: "Device: HOSTANAMEA - Device Down AP is down (SNMP Trap - wlsxNAPMasterStatusChange from x.x.x.x)." SNMPv2-SMI::enterprises.12028.4.104 = IpAddress: x.x.x.x SNMPv2-SMI::enterprises.12028.4.103 = STRING: "x:x:x:x:x:x" SNMPv2-SMI::enterprises.12028.4.101 = STRING: "HOSTNAMEA"
2017-06-13 12:42:01 :
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10) 0:00:00.10 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12028.4.15.0.15 SNMPv2-SMI::enterprises.12028.4.15.1.101 = INTEGER: 2 SNMPv2-SMI::enterprises.12028.4.15.1.102 = INTEGER: 1 SNMPv2-SMI::enterprises.12028.4.15.1.103 = STRING: "Device: HOSTANAMEA - Device Up Device Type is Access Point." SNMPv2-SMI::enterprises.12028.4.104 = IpAddress: x.x.x.x
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As it turns out, I just wrote this with a client TODAY! Try this:
... | streamstats count(eval(searchmatch("Device Down"))) AS sessionID count AS _serial BY host
| eval sessionID = sessionID - if((searchmatch("Device Down")), 1, 0)
| stats first(_time) AS _time range(_time) AS downtime count first(_serial) AS _serial BY sessionID host
| rename COMMENT AS "Account for a DOWN event without a matching/later UP event"
| eval downtime = case((count=1 AND _serial=1), now()-_time,
(count=1 AND _serial>1), null(),
true(), downtime)
| sort 0 _time
| rename COMMENT AS "Above is what you asked, everything below is BONUS, baby; run for 'Today'"
| streamstats sum(downtime) AS accum_downtime BY host
| timechart max(accum_downtime) AS accumulated_downtime_seconds BY host
| filldown *
| untable _time key downTimeSeconds
| eval baseTime=relative_time(now(), "-0d@d")
| eval dayTimeSeconds=_time-baseTime
| eval efficiency=100*(1 - downTimeSeconds/dayTimeSeconds)
| fields - *Time*
| xyseries _time key efficiency
| timechart values(*) AS *
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
