Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlate received Up down Traps in Splunk

Esky73
Builder
‎06-15-2017 06:04 PM

Looking for ideas on how to correlate between an updown trap event like the one shown below - would be nice to have the duration of the outage and how to correlate up/down from the same host

thx

2017-06-13 11:23:32 :
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10) 0:00:00.10 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12028.4.15.0.63 SNMPv2-SMI::enterprises.12028.4.15.1.101 = INTEGER: 2 SNMPv2-SMI::enterprises.12028.4.15.1.102 = INTEGER: 4 SNMPv2-SMI::enterprises.12028.4.15.1.103 = STRING: "Device: HOSTANAMEA - Device Down AP is down (SNMP Trap - wlsxNAPMasterStatusChange from x.x.x.x)." SNMPv2-SMI::enterprises.12028.4.104 = IpAddress: x.x.x.x SNMPv2-SMI::enterprises.12028.4.103 = STRING: "x:x:x:x:x:x" SNMPv2-SMI::enterprises.12028.4.101 = STRING: "HOSTNAMEA"

2017-06-13 12:42:01 :
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10) 0:00:00.10 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12028.4.15.0.15 SNMPv2-SMI::enterprises.12028.4.15.1.101 = INTEGER: 2 SNMPv2-SMI::enterprises.12028.4.15.1.102 = INTEGER: 1 SNMPv2-SMI::enterprises.12028.4.15.1.103 = STRING: "Device: HOSTANAMEA - Device Up Device Type is Access Point." SNMPv2-SMI::enterprises.12028.4.104 = IpAddress: x.x.x.x

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2017 06:22 PM

As it turns out, I just wrote this with a client TODAY! Try this:

... | streamstats count(eval(searchmatch("Device Down"))) AS sessionID count AS _serial BY host
| eval sessionID = sessionID - if((searchmatch("Device Down")), 1, 0) 
| stats first(_time) AS _time range(_time) AS downtime count first(_serial) AS _serial BY sessionID host
| rename COMMENT AS "Account for a DOWN event without a matching/later UP event" 
| eval downtime = case((count=1 AND _serial=1), now()-_time,
                       (count=1 AND _serial>1), null(),
                       true(), downtime) 
| sort 0 _time 

| rename COMMENT AS "Above is what you asked, everything below is BONUS, baby; run for 'Today'"

| streamstats sum(downtime) AS accum_downtime BY host
| timechart max(accum_downtime) AS accumulated_downtime_seconds BY host
| filldown * 
| untable _time key downTimeSeconds 
| eval baseTime=relative_time(now(), "-0d@d") 
| eval dayTimeSeconds=_time-baseTime 
| eval efficiency=100*(1 - downTimeSeconds/dayTimeSeconds) 
| fields - *Time* 
| xyseries _time key efficiency 
| timechart values(*) AS *
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...