Current code that am using is below
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" AND "AOKBT-WANRTC002"
| eval Time_CST=_time
| sort Time_CST
| delta Time_CST as duration
| eval duration=tostring(round(duration),"duration")
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| rex field=eventuei "(?<Status>[A-Z].*)"
| dedup nodelabel sortby - Time_CST
| table nodelabel, duration, Status, Time_CST
Output is...
nodelabel duration Status Time_CST
USDALIGW 00:15:59 Up 03/24/20 03:47:15
USRG2 00:01:46 Up 03/24/20 02:05:44
USBRP 00:01:40 Up 03/23/20 16:49:27
If i keep it for all devices, I used to get duration for 1 min also.. please help me filter or remove all those below 15 mins. I want to display only those devices with duration above 15 mins.
please help me
...
| delta Time_CST as duration
| where duration > 900
| eval duration=tostring(round(duration),"duration")
...
...
| delta Time_CST as duration
| where duration > 900
| eval duration=tostring(round(duration),"duration")
...
I have one more issue which am facing.
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" "WANRT*"
| rex field=eventuei "uei.opennms.org/nodes/node(?<bgpPeerState>.+)"
| eval Status=case(bgpPeerState=="Up", "UP", bgpPeerState=="Down", "DOWN", 1=1, "Other")
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST
| table nodelabel Status Time_CST
Output:
nodelabel Status Time_CST
NZSKB DOWN 03/24/20 10:33:33
GQPCW DOWN 03/24/20 10:30:15
EGSUM UP 03/24/20 10:19:39
GQHAN DOWN 03/24/20 10:16:57
FJVUD UP 03/24/20 10:05:20
PGPKC UP 03/24/20 09:58:09
is it possible to only display DOWN CASES in the dashboard
Separate issues should be separate questions. This answer is similar to the first.
...
| eval Status=case(bgpPeerState=="Up", "UP", bgpPeerState=="Down", "DOWN", 1=1, "Other")
| where Status=="DOWN"
| rename _time as Time_CST
...
that converted all the UP s to DOWN.