I have a LAN port flapping and causing all kinds of noise that I am trying to notify on.
The syslog looks like this: %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel6:
What I thought to be a good REX: \s%\w+_\w+-\d+-\w+_\w+:\s\w+-\w+\d+: doesn't provide any "hits" despite matching in both my REGEX helpers. I have even tried to use this REGEX within the Extract Fields tool without success.
What I am trying to accomplish is to build a REGEX to find this entire string up to the last number. The last port number needs to be counted and sorted by this number and if the port number hits >=100 in 1 minutes alert me. Here is what I need to search for:
%ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel<somenumber>:
Has anyone been able to, or have advise, to count the port number and alert "where count >=100"?
pstein
You don't have any capture groups in your regular expression, therefore it may match, but it will not return any fields. You need to use the regex capture group like: (?<field_name>regex)
A search like this should work:
sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):"
To alert based on a repeated occurance of port, you could do something like this:
sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | stats count by port | where count>=100
host="10.145.254.*" UPDOWN | rex "(?i) Interface (?P
above was the fix
You don't have any capture groups in your regular expression, therefore it may match, but it will not return any fields. You need to use the regex capture group like: (?<field_name>regex)
A search like this should work:
sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):"
To alert based on a repeated occurance of port, you could do something like this:
sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | stats count by port | where count>=100
I changed the alert to:
sourcetype=syslog UPDOWN | rex "(?i) Interface (?P
so it would catch on my interface report looking like:
Dec 19 14:10:16.897: %LINK-3-UPDOWN: Interface FastEthernet0/41, changed state to down
However now if i have multiple switches on which the same interface is bouncing it would all catch it under 1 hit.
Would it be possible to include the ip\hostname somehow in the output.
I also modified the search (added sort - count) at the end to display the results:
sourcetype=syslog ETH_PORT_CHANNEL | rex "port-channel(?
Great, sounds like this is working well for you! If this answers your question, please indicate so by checking the check mark on the left-hand side. (This will mark the question as answered, and give both of us some reputation points.)
The second line for alerting was SPOT ON....Now I understand how to assign Fields via a REX on the fly. In this case assigning 'port' coming after port-channel. Thanks.