I'm configuring an alert for changes in EIGRP neighbor adjacency. I've configured a field extraction that defines the fields:
eigrp_interface
eigrp_neighbor
eigrp_state
I'm using the transaction command to correlate the "down" and "up" messages for a given host, interface, and neighbor.
The alert has multiple conditions. Here's the logic:
IF the transaction isn't closed (i.e., no "up" message received) and the state is "down" --> Alert
IF the transaction is closed and the duration (i.e, the downtime) was greater than 30 seconds --> Alert
Here's the search string:
index=network NBRCHANGE | transaction host eigrp_interface eigrp_neighbor startswith=eigrp_state="down" endswith=eigrp_state="up" keepevicted=true | eval eigrp_alert=if((closed_txn=0 AND eigrp_state="down") OR (closed_txn=1 AND duration>30),1,0) | search eigrp_alert=1
This works. I want to add one more condition to the alert if an interface is "flapping". In other words, if more than x "down" messages are seen for the same neighbor within a period of time, alert. I can't figure out how to add this logic.
... View more