×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dflynn235
Loves-to-Learn
Member since: ‎08-24-2021
‎05-08-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-24-2021
View All

Re: Suppress and alert when a resolving event is r...

by in Splunk Search
‎05-08-2025 01:43 PM
‎05-08-2025 01:43 PM
Understood.  To test this, I'll actually need to down an interface for at least 60 seconds to see the Down result.  I'll need to get a network engineer involved to test.  I will get back ASAP. ... View more

Re: Suppress and alert when a resolving event is r...

by in Splunk Search
‎05-08-2025 01:37 PM
‎05-08-2025 01:37 PM
Thanks for the reply! I ran the query as is and received some odd results.  I slightly modified it as shown: index=main sourcetype="cisco:ios" ("SESSION_STATE_DOWN" OR "SESSION_STATE_UP") | eval status=case(searchmatch("%BFD-5-SESSION_STATE_DOWN"),"Down",searchmatch("%BFD-5-SESSION_STATE_UP"),"Up",true(),"Unknown") | rex "on interface (?<iface>[a-zA-Z0-9]+)" | stats range(_time) as downTime latest(status) as latestStatus by iface | where downTime<60 This produced 2 results for the past 7 days: Can this be run in realtime and alert be generated for a "LatestStatus" of Down? ... View more

Re: Suppress and alert when a resolving event is r...

by in Splunk Search
‎05-08-2025 12:30 PM
‎05-08-2025 12:30 PM
Thanks for the reply! If I break down this query to just: index=main ("SESSION_STATE_DOWN" OR "SESSION_STATE_UP") | dedup host The only results are up sessions, the "dedup host" removes all of the down sessions. as they're from the same host Does the remaining | where match(_raw, "SESSION_STATE_DOWN") AND _time<relative_time(now(), "-60s") only query the results from the | dedup host or the total query?  If yes, it will never find a "SESSION_STATE_DOWN", they are filtered out ... View more

Suppress and alert when a resolving event is recei...

by in Splunk Search
‎05-07-2025 11:05 AM
‎05-07-2025 11:05 AM
I'm attempting to suppress an alert if a follow up event (condition) is received within 60 seconds of the initial event (condition) from the same host.  This is a network switch alerting for BFD neighbor down event.  I want to suppress the alert if a BFD neighbor up event is received within 60 seconds. This is the event data received: Initial BFD Down: 2025-05-07T07:20:40.482713-04:00 "switch_name" : 2025 May 7 07:20:40 EDT: %BFD-5-SESSION_STATE_DOWN: BFD session 1124073489 to neighbor "IP Address" on interface Vlan43 has gone down. Reason: Administratively Down. host = "switch_name" Second event to nullify the alert: 2025-05-07T07:20:41.482771-04:00 "switch_name" : 2025 May 7 07:20:41 EDT: %BFD-5-SESSION_STATE_UP: BFD session 1124073489 to neighbor "IP Address" on interface Vlan43 is up. host = "switch_name"   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-08-2025 01:16 PM