Hi Mus,
I'm using the below query as you suggested,
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | sort -_time | reverse
Could any one please provide the script, so that splunk will send the below logs to netcool.
data1swt0001 GigabitEthernet1/0/1 down 2015-01-24 23:48:38
data1swt0001 GigabitEthernet1/0/1 down 2015-01-24 23:48:38
data1swt0001 GigabitEthernet1/0/1 up 2015-01-24 23:52:08
data1swt0001 GigabitEthernet1/0/1 up 2015-01-24 23:52:08
Thanks....
... View more