Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlate received Up down Traps in Splunk

Esky73
Builder
‎06-15-2017 06:04 PM

Looking for ideas on how to correlate between an updown trap event like the one shown below - would be nice to have the duration of the outage and how to correlate up/down from the same host

thx

2017-06-13 11:23:32 :
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10) 0:00:00.10 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12028.4.15.0.63 SNMPv2-SMI::enterprises.12028.4.15.1.101 = INTEGER: 2 SNMPv2-SMI::enterprises.12028.4.15.1.102 = INTEGER: 4 SNMPv2-SMI::enterprises.12028.4.15.1.103 = STRING: "Device: HOSTANAMEA - Device Down AP is down (SNMP Trap - wlsxNAPMasterStatusChange from x.x.x.x)." SNMPv2-SMI::enterprises.12028.4.104 = IpAddress: x.x.x.x SNMPv2-SMI::enterprises.12028.4.103 = STRING: "x:x:x:x:x:x" SNMPv2-SMI::enterprises.12028.4.101 = STRING: "HOSTNAMEA"

2017-06-13 12:42:01 :
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10) 0:00:00.10 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12028.4.15.0.15 SNMPv2-SMI::enterprises.12028.4.15.1.101 = INTEGER: 2 SNMPv2-SMI::enterprises.12028.4.15.1.102 = INTEGER: 1 SNMPv2-SMI::enterprises.12028.4.15.1.103 = STRING: "Device: HOSTANAMEA - Device Up Device Type is Access Point." SNMPv2-SMI::enterprises.12028.4.104 = IpAddress: x.x.x.x

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2017 06:22 PM

As it turns out, I just wrote this with a client TODAY! Try this:

... | streamstats count(eval(searchmatch("Device Down"))) AS sessionID count AS _serial BY host
| eval sessionID = sessionID - if((searchmatch("Device Down")), 1, 0) 
| stats first(_time) AS _time range(_time) AS downtime count first(_serial) AS _serial BY sessionID host
| rename COMMENT AS "Account for a DOWN event without a matching/later UP event" 
| eval downtime = case((count=1 AND _serial=1), now()-_time,
                       (count=1 AND _serial>1), null(),
                       true(), downtime) 
| sort 0 _time 

| rename COMMENT AS "Above is what you asked, everything below is BONUS, baby; run for 'Today'"

| streamstats sum(downtime) AS accum_downtime BY host
| timechart max(accum_downtime) AS accumulated_downtime_seconds BY host
| filldown * 
| untable _time key downTimeSeconds 
| eval baseTime=relative_time(now(), "-0d@d") 
| eval dayTimeSeconds=_time-baseTime 
| eval efficiency=100*(1 - downTimeSeconds/dayTimeSeconds) 
| fields - *Time* 
| xyseries _time key efficiency 
| timechart values(*) AS *
0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...