Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Total Interface Down time
You can pull events showing when an interface goes down and when it come backup, However there does not appear to be a way to total the time between the two events. Is there a way to do this. One way I have though about, is to setup a rule that create an event that will store the difference between the Down and Up events., rather than an incident, but I haven't found a way to do that
Labels:
- Labels:
-
SIEM
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kevin,
You are correct, technically this operation could be completed in the parser by way of the collectAndSetAttrFromAnotherEvent function.
Example from IronportMailParser
------------------------------
Ken
------------------------------
You are correct, technically this operation could be completed in the parser by way of the collectAndSetAttrFromAnotherEvent function.
Example from IronportMailParser
<collectAndSetAttrFromAnotherEvent AnotherEventType="Cisco-IronPort-Mail-From">
<when test="$ironportMailMID = $AnotherEvent.ironportMailMID">
<setEventAttribute attr="receiverMailAddr">$AnotherEvent.receiverMailAddr</setEventAttribute>
</when>
</collectAndSetAttrFromAnotherEvent>
In your case, you would want to retrieve the last time the interface went up or down and calculate the time between the two events. So you would want to use a function like calculateMSec once you assign the event receive time from the other event to a temp variable.
Example
<when test='$eventType IN "PH_DEV_MON_INTF_OPER_DOWN_TO_UP,PH_DEV_MON_INTF_OPER_DOWN_TO_UP"'>
<collectAndSetAttrFromAnotherEvent AnotherEventType="PH_DEV_MON_INTF_OPER_DOWN_TO_UP OR PH_DEV_MON_INTF_OPER_DOWN_TO_UP">
<when test="$intfName = $AnotherEvent.intfName">
<setEventAttribute attr="_lastChanged">$AnotherEvent.phRecvTime</setEventAttribute>
<setEventAttribute attr="durationMSec">calculateMSec($_lastChanged)</setEventAttribute>
</when>
</collectAndSetAttrFromAnotherEvent>
</when>
This example code is untested. It is only provided as an example. Please use at your own risk.
Word of advice
------------------------------
Ken
------------------------------
[FirstName]
[JobTitle]
[JobTitle]