Hi MuS,
thank you for your help. My search string is now:
source="ens_emea_syslog" sourcetype="cisco_syslog" BGP | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\s(?<BGP_Status>\w+)\s" | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\sDown\s(?<BGP_Down_Event>.*)" | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\s(active|passive)\s(?<BGP_AcPas_Event>.*)" | rex field=_raw "([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+)\sreset\s(?<BGP_Reset_Event>.*)" | rex "(?i) .*? neighbor (?P<BGP_Neighbor>([a-f0-9]+:\d+:\d+:\d+:\d+::\d+|\d+\.\d+\.\d+\.\d+))(?= )" | eval time=date_hour.":".date_minute.":".date_second | eval date=date_mday.".".date_month.".".date_year | table date, time, host, BGP_Neighbor, BGP_Status, BGP_Down_Event, BGP_Reset_Event | rename host as "Alerting Host"
and its working. Is it possible to transaction the "BGP_Neighbor" to measure the time between "Down" and "Up" ?
Best regards
Florian
... View more