I am trying to build a table that will show the active alerts for SNMP trap data ingested via a text file.
I can build a table pretty well extracting fields with rex and displaying them using table
index="orion" sourcetype=traps | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled") | table cyan_node, trap_state, _time
This along with other rex statements on the other OID's in the trap message build a nice human-readable table of the Node Name, Alarm State, and Time.
However, what I want to do is to only show the events that eval cyan.6.1.1.10.0:= 1 to "Active" and have no preceding cyan.6.1.1.10.0:= 0 or "Clear"
In other words, just show me Active alarms that have never had a Clear status. I do not have any idea on how to go about this.
Give this a try
index="orion" sourcetype=traps | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled") | stats latest(_time) as _time values(trap_state) as trap_state by cyan_node | where mvcount(trap_state)=1 AND trap_state="Active" | table cyan_node, trap_state, _time
I do not get any results when I run that search. I am still trying to sort out exactly what you are doing there as I am still very new to Splunk and not too familiar with a lot of the commands.
Before stats is the search same as your's in the question. Using stats, I'm taking the time of the latest event and all the available values of trap_state for a cyan_node. Then based on available values of trap_state, I'm removing events where trap_state has both Active and Cleared/Disabled state (showing only the active alarms) and keeping only with alarm state with Active.
Try this,
index="orion" sourcetype=traps "cyan.6.1.1.10.0:= 1" | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled") | table cyan_node, trap_state, _time
OR
index="orion" sourcetype=traps | rex "cyan\.6\.1\.1\.10\..\:\=\s(?<state>.*)" | rex "cyan\.6\.1\.1\.3\..\:\=(?<cyan_node>.*)" | eval trap_state=case(state==0, "Cleared", state==1, "Active", state==2, "Disabled") |search trap_state="Active" | table cyan_node, trap_state, _time
After your extraction you can use search or where.. like
|search trap_state="Active"
OR
|where trap_state="Active"
you can move your rex in props.conf (extract, calculated fields). then you can directly search the required field. In other hand If you can share some sample data I can help you the easy way.
Thanks,
V
While this will work to get a table of all the snmp traps that have come in as "active", what I am trying to do is to display all the traps that have come in as an alarm indicator that have NOT had a snmp trap come in with a clear indicator to negate them.
See this image for further reference. Since there was a Clear for the Active, there should be no need to display either event: