Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About victornajduch
victornajduch
Loves-to-Learn Everything
Member since:
06-29-2021
09-29-2021
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-29-2021 |
Activity Feed
- Posted Re: Lookup missing definition on Splunk Search. 07-22-2021 10:11 AM
- Posted Lookup missing definition on Splunk Search. 07-21-2021 01:36 PM
- Tagged Lookup missing definition on Splunk Search. 07-21-2021 01:36 PM
- Posted Re: Join subsearch failure on Splunk Search. 07-12-2021 07:07 AM
- Posted Re: Join subsearch failure on Splunk Search. 07-06-2021 11:36 AM
- Posted Re: Join subsearch failure on Splunk Search. 07-04-2021 09:38 AM
- Posted Re: Join subsearch failure on Splunk Search. 07-03-2021 05:32 AM
- Posted Re: Join subsearch failure on Splunk Search. 06-30-2021 07:01 AM
- Tagged Re: Join subsearch failure on Splunk Search. 06-30-2021 07:01 AM
- Tagged Re: Join subsearch failure on Splunk Search. 06-30-2021 07:01 AM
- Posted Join subsearch failure on Splunk Search. 06-29-2021 12:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
07-22-2021
10:11 AM
@venkatasri checked for special characters and added a 3 (superfluous) column. No change.
... View more
07-21-2021
01:36 PM
Good afternoon, I can't make sense of why I can't extract a definition from a particular csv. I doublechecked permissions and verified that all of my columns are appearing via | inputlookup file.csv | table loopback, device the output recognizes both the custom device data as well as loopback but if I attempt to table the info "device" is not recognized. index=index "syslog message" | rex field=_raw "peer (?<neighbor>\d+.\d+.\d+.\d+.)" | dedup neighbor | lookup xo-access-loopback loopback as neighbor output device | table device, neighbor I get neighbor output but not device. csv looks like - Any ideas? device loopback routername x.x.x.x
... View more
- Tags:
- lookup
Labels
- Labels:
-
lookup
07-12-2021
07:07 AM
@bowesmana It is joining correctly now that I set the deviceName - Host to (lower) I'm trying to figure out why it's only showing 2-3 results while it should have dozens.
... View more
07-06-2021
11:36 AM
@bowesmana Tried using append but this seemed to just show me results from both searches as opposed to joining the searches and outputting the common ifDescr field. I think this could work with the join function if I could figure out why I'm only getting the first two routers/device reporting their first search output. I played around with removing dedup and changing stats by removing any aggregated or time functions but still nothing. Any ideas?
... View more
07-04-2021
09:38 AM
@bowesmana I got this partially figured out by adding lower to one of the evals because the devices within the snmp index are all in lower case - | eval deviceName = lower(host) While this actually gets results to populate, I am now seeing only the top 2 results within the initial search. I'll tinker around with your recommendations later but if you have any ideas that would be greatly appreciated. Thanks.
... View more
07-03-2021
05:32 AM
@bowesmana I can restrict each search to explicit variables I know exist within a particular timeframe and this also fails. Example - search - index=SYSLOG host=Router_1 LFMD_3AH_THRESHOLD_EVENT et-7/0/20 subsearch - index=SNMP dataType=IP deviceName=Router_1 ifDescr=et-7/0/20 ifAlias=*bone* This creates only 337 events under the main search and even fewer under the subsearch
... View more
06-30-2021
07:01 AM
@bowesmana Running the subsearch individually (without adding a | dedup) produces 16700 events but I can trim that number down considerably by using dedup on ifAlias. Are we looking specifically for the number of results/events or how many potential results there were before filtering? index=SNMP deviceName=RCA* OR deviceName=RCB* OR deviceName=LCA* OR deviceName=LCB* ifDescr=et-* ifAlias=*bone* | dedup ifAlias | eval no_circuitid="" | rex field=ifAlias ":(?<circuitID>\d+\s?\/[^\/]+[^\/]+\/[^\/]+\/[^\/|\:|\s]+)" | eval circuitID=coalesce(circuitID, no_circuitid) | eval AID = circuitID | eval AlarmKey = deviceName." ".ifAlias." PCS Errors" | stats latest(ifAlias) as ifAlias values latest(_time) as LatestAlertedTS, earliest(_time) as FirstAlertedTS by AlarmKey,deviceName, ifDescr, AID, circuitID - 16,704 events (6/30/21 8:27:27.000 AM to 6/30/21 8:58:27.000 AM)
... View more
06-29-2021
12:01 PM
I have two different searches running against 2 different indexes to pull in realtime syslog data and enrich it with snmp polling data, like circuit information etc. My first search is looking for a specific syslog text and returning with all necessary results, while my second search is doing the exact same thing but does not show any stats. Each one of these searches and sub searches function individually so I don't understand why one works and not the other. The only ostensible change in either search are the explicit syslog text queries and manual evals to push into the table so I can't make sense of why it's failing. Any ideas or recommendations? first example - (working) syslog text - <28>Jun 29 18:22:25 DEVICE mib2d[2775]: SNMP_TRAP_LINK_DOWN: , ifAdminStatus up(1), ifOperStatus down(2), ifName ge-5/0/3 index=syslog "ifOperStatus down" | rex field=_raw "ifName (?<ifDescr>.+)" | eval deviceName = host | eval TriggerDescription = message | eval Environment="prod" | eval SourceEventID = "" | eval AlarmType = "Router" | eval Domain = "XO" | eval SourceSystem = "NI Splunk" | eval SendtoNOC = "Y" | eval EventStatus = "NEW" | eval ProductName = "XO" | eval ElementType = "Device" | eval TriggerUnitsofMeasure = "" | eval KPIMeasure = "" | eval CaseDescription = "Backbone Interface Down" | eval StateCode = "XO" | eval Severity = "Major" | lookup xo-cili-lookup device as deviceName output cili as NEID | eval Port = ifDescr | eval TriggerType = "Interface Down" | eval Cause = TriggerType | eval DeviceClli = NEID | eval Vendor = "Juniper" | eval model=case(match(deviceName, "MCR*|CIR*|mcr*|cir*"), "MX960", match(deviceName, "CTR*|ctr*"), "MX2020", match(deviceName, "RCA*|RCB*|rca*|rcb*"), "PTX5000", match(deviceName, "LCA*|LCB*|lca*|lcb*"), "PTX3000") | eval DeviceModel = model | join deviceName, ifDescr [search index=SNMP ifDescr=ae* OR ifDescr=et-* OR ifDescr=xe-* OR ifDescr=ge-* AND ifAlias=*bone* | eval no_circuitid="" | rex field=ifAlias ":(?<circuitID>\d+\s?\/[^\/]+[^\/]+\/[^\/]+\/[^\/|\:|\s]+)" | eval circuitID=coalesce(circuitID, no_circuitid) | eval AID = circuitID | eval AlarmKey = deviceName." ".ifAlias." Down" | stats latest(ifAlias) as ifAlias values latest(_time) as LatestAlertedTS, earliest(_time) as FirstAlertedTS by AlarmKey,deviceName, ifDescr, AID,circuitID] | table Environment,AlarmKey,FirstAlertedTS, LatestAlertedTS,EventStatus,deviceName,ifDescr,NEID,AID,circuitID,Port, Severity, TriggerType,TriggerDescription,Cause, DeviceClli, Vendor, DeviceModel, SourceEventID, SourceSystem, Domain,ProductName, ElementType, TriggerUnitsofMeasure, KPIMeasure, CaseDescription, SendtoNOC, StateCode, AlarmType Collapse | dedup AlarmKey Second example (not working) Syslog text - <28>Jun 29 18:56:38 DEVICE lfmd[17284]: LFMD_3AH_THRESHOLD_EVENT: Threshold event happened for ifd et-8/0/8(snmpid 525): index=SYSLOG LFMD_3AH_THRESHOLD_EVENT | rex field=_raw "event happened for ifd (?<ifDescr>\S+)\(snmpid" | rare host | eval deviceName = upper(host) | eval TriggerDescription = message | eval Environment="prod" | eval SourceEventID = "" | eval AlarmType = "Router" | eval Domain = "XO" | eval SourceSystem = "NI Splunk" | eval SendtoNOC = "Y" | eval EventStatus = "NEW" | eval ProductName = "XO" | eval ElementType = "Device" | eval TriggerUnitsofMeasure = "" | eval KPIMeasure = "" | eval CaseDescription = "Backbone Interface Errors" | eval StateCode = "XO" | eval Severity = "Major" | lookup xo-cili-lookup device as deviceName output cili as NEID | eval Port = ifDescr | eval TriggerType = "PCS Errors" | eval Cause = TriggerType | eval DeviceClli = NEID | eval Vendor = "Juniper" | eval model=case(match(deviceName, "MCR*|CIR*|mcr*|cir*"), "MX960", match(deviceName, "CTR*|ctr*"), "MX2020", match(deviceName, "RCA*|RCB*|rca*|rcb*"), "PTX5000", match(deviceName, "LCA*|LCB*|lca*|lcb*"), "PTX3000") | eval DeviceModel = model | join deviceName, ifDescr [search index=SNMP deviceName=RCA* OR deviceName=RCB* OR deviceName=LCA* OR deviceName=RCB* ifAlias=*bone* | eval no_circuitid="" | rex field=ifAlias ":(?<circuitID>\d+\s?\/[^\/]+[^\/]+\/[^\/]+\/[^\/|\:|\s]+)" | eval circuitID=coalesce(circuitID, no_circuitid) | eval AID = circuitID | eval AlarmKey = deviceName." ".ifAlias." PCS Errors" | stats latest(ifAlias) as ifAlias values latest(_time) as LatestAlertedTS, earliest(_time) as FirstAlertedTS by AlarmKey,deviceName, ifDescr, AID, circuitID] | table Environment,AlarmKey,FirstAlertedTS, LatestAlertedTS,EventStatus,deviceName,ifDescr,NEID,AID,circuitID,Port, Severity, TriggerType,TriggerDescription,Cause, DeviceClli, Vendor, DeviceModel, SourceEventID, SourceSystem, Domain,ProductName, ElementType, TriggerUnitsofMeasure, KPIMeasure, CaseDescription, SendtoNOC, StateCode, AlarmType Collapse
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-29-2021
03:01 PM
|
