Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Problems exporting a BGP Status to a field

flweyand
Engager
‎06-28-2014 04:37 AM

Hi all,

i have a problem exporting a BGP event to a field.

Events:

%BGP-5-ADJCHANGE: neighbor $IPv6-IP$ Up
%BGP-5-ADJCHANGE: neighbor $IPv4-IP$ Up 
%BGP_SESSION-5-ADJCHANGE: neighbor $IPv6-IP$ IPv6 Unicast topology base removed from session  BGP Notification sent
%BGP-5-ADJCHANGE: neighbor $IPv6-IP$ Down BGP Notification sent
%BGP-5-NBR_RESET: Neighbor $IPv6-IP$ reset (BGP Notification sent)
%BGP-5-ADJCHANGE: neighbor $IPv4-IP$ Down Interface flap
%BGP-5-ADJCHANGE: neighbor $IPv4-IP$ Down Peer closed the session
%BGP_SESSION-5-ADJCHANGE: neighbor $IPv4-IP$ IPv4 Unicast topology base removed from session  Interface flap
%BGP-3-NOTIFICATION: sent to neighbor $IPv6-IP$ 4/0 (hold time expired) 0 bytes

I need the export "Up / Down / reset" if its down i need a condition field "BGP Notification sent", "Interface flap", "Peer closed the session", "hold time expired"

I tried several Regex but i dont get it working.

Thank you and best regards
Florian

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-28-2014 06:02 AM

Hi flweyand,

try something like this:

your base search to get the events | rex field=_raw "\$IPv[64]-IP\$\s(?<myStatus>\w+)\s" | rex field=_raw "\$IPv[64]-IP\$\sDown\s(?<myNotification>.*)" | table myStatus, myNotification

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-28-2014 06:02 AM

Hi flweyand,

try something like this:

your base search to get the events | rex field=_raw "\$IPv[64]-IP\$\s(?<myStatus>\w+)\s" | rex field=_raw "\$IPv[64]-IP\$\sDown\s(?<myNotification>.*)" | table myStatus, myNotification

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-28-2014 06:49 AM

sure, if you build a transaction you will get a default field called duration 😉
please mark this as answered if it works for you - thanks

0 Karma
Reply
Solved! Jump to solution

flweyand
Engager
‎06-28-2014 06:43 AM

Hi MuS,

thank you for your help. My search string is now:

source="ens_emea_syslog" sourcetype="cisco_syslog" BGP | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\s(?<BGP_Status>\w+)\s" | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\sDown\s(?<BGP_Down_Event>.*)" | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\s(active|passive)\s(?<BGP_AcPas_Event>.*)" | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\sreset\s(?<BGP_Reset_Event>.*)" | rex "(?i) .*? neighbor (?P<BGP_Neighbor>([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+))(?= )" | eval time=date_hour.":".date_minute.":".date_second | eval date=date_mday.".".date_month.".".date_year | table date, time, host, BGP_Neighbor, BGP_Status, BGP_Down_Event, BGP_Reset_Event | rename host as "Alerting Host"

and its working. Is it possible to transaction the "BGP_Neighbor" to measure the time between "Down" and "Up" ?

Best regards
Florian

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...