Hi Risto, et al.
I'm trying to come up with a way to match Cisco IP SLA syslog events.
Messages come in from 10 different IP SLA shadow routers that look similar
to this:
Jun 3 03:13:53 10.48.36.33 394491: 379185: Jun 3 03:13:52.982 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(3419): Threshold Occurred for connectionLoss
Jun 3 03:13:54 10.48.36.37 330506: 331273: Jun 3 03:13:53.592 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(3242): Threshold Occurred for timeout
Jun 3 03:13:54 10.48.36.37 330507: 331274: Jun 3 03:13:54.688 BST:
%RTT-4-OPER_TIMEOUT: condition cleared, entry number = 3364
Jun 3 03:13:54 10.48.36.39 331498: 332112: Jun 3 03:13:53.916 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(3263): Threshold Occurred for timeout
Jun 3 03:13:55 10.48.36.37 330508: 331275: Jun 3 03:13:54.704 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(3364): Threshold Cleared for timeout
Jun 3 03:13:56 10.48.36.39 331499: 332113: Jun 3 03:13:56.816 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(1398): Threshold exceeded for packetLossDS
Jun 3 03:13:56 10.48.36.39 331500: 332114: Jun 3 03:13:56.916 BST:
%RTT-4-OPER_TIMEOUT: condition occurred, entry number = 3321
Jun 3 03:13:57 10.48.36.39 331501: 332115: Jun 3 03:13:56.932 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(3321): Threshold Occurred for timeout
Jun 3 03:13:57 10.48.36.39 331502: 332116: Jun 3 03:13:57.812 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(1402): Threshold exceeded for packetLossDS
Jun 3 03:14:01 10.48.36.42 184927: 185372: Jun 3 03:14:01.167 BST:
%RTT-4-OPER_TIMEOUT: condition cleared, entry number = 4030
Jun 3 03:14:02 10.48.36.42 184928: 185373: Jun 3 03:14:01.179 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(4030): Threshold Cleared for timeout
Jun 3 03:14:07 10.48.36.37 330510: 331277: Jun 3 03:14:06.005 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(1442): Threshold below for packetLossDS
Jun 3 03:14:07 10.48.36.42 184929: 185374: Jun 3 03:14:07.936 BST:
%RTT-4-OPER_TIMEOUT: condition occurred, entry number = 4096
Jun 3 03:14:08 10.48.36.33 394492: 379186: Jun 3 03:14:07.942 BST:
%RTT-4-OPER_TIMEOUT: condition cleared, entry number = 3418
Jun 3 03:14:08 10.48.36.33 394493: 379187: Jun 3 03:14:07.954 BST:
%RTT-3-IPSLATHRESHOLD: IP SLAs(3418): Threshold Cleared for timeout
For example:
I need to find a "condition occurred, entry number = 4030" and match it to
"condition cleared, entry number = 4030"
The time frame doesn't matter - what does matter is that if I receive
another "condition occurred, entry number = 4030" before I receive a clear
for that probe number (4030 in this case), then that means I lost a syslog
message somewhere (since it's impossible to get a new condition without a
clear). In this case, I need to trigger an email.
I need to do this for every device and unique probe # (there are thousands).
So:
1.1.1.1, probe 1 should have matching pairs
1.1.1.1, probe 2 should have a matching pair
2.2.2.2, probe 3 should match
etc.
Any help you can provide sure would be appreciated :-)
______________________________________________________________
Clayton Dukes
______________________________________________________________
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users