Historique perte PA

Mur Image

Période -7d@h now Contexte Tous Hydro Nuc *

Historique perte PA index="spectrum_tic" | transaction id keepevicted=true keeporphans=true | lookup spectrum_devices_dynamic.csv IP AS Network_Address OUTPUT Location | search Location=$tk_contexte$ | search (Model_Name="PA2*" OR Model_Name="PIAF*") "Alarm_Title"="*PING KO*" | eval begin = strftime(_time,"%Y-%m-%d %H:%M:%S") | eval end = strftime(_time+duration,"%Y-%m-%d %H:%M:%S") | eval duree=tostring(duration, "duration") | table begin, end, "Model_Name",duration,duree | sort -duration | head 5 | fields begin, end, "Model_Name",duree $tk_time.earliest$ $tk_time.latest$

Equipements Avec/Sans alarmes critiques index="Spectrum_tic" | transaction id keepevicted=true keeporphans=true startswith="Creation_Date" endswith="Cleared" maxopentxn=100000 | search Severity=Critical Acknowledged=false (NOT Cleared=true) | lookup spectrum_devices_dynamic.csv IP AS Network_Address OUTPUT Owner | search Owner="CEIP Reseau" Location=$tk_contexte$ | rex field="Model_Name" "(?<name>.*)_((Fa)|(Gi))?[0-9]/[0-9]+(/[0-9]+)?" | eval name = if(isnull(name),Model_Name,name) | stats count by name | stats count as "Eqts avec Alarme" | appendcols [| inputlookup spectrum_devices_dynamic.csv | search Owner="CEIP Reseau" Location=$tk_contexte$ | stats count as "Nb_eqt_total"] | eval "Eqts sans Alarmes" = 'Nb_eqt_total' - 'Eqts avec Alarme' | fields "Eqts avec Alarme" "Eqts sans Alarmes" | transpose -30d@d now Equipements ayant généré le plus d'alarmes index=spectrum_tic "Creation_Date"=* | transaction id keepevicted=true keeporphans=true | lookup spectrum_devices_dynamic.csv IP AS Network_Address OUTPUT Owner Location | search Owner="CEIP Reseau" Location=$tk_contexte$ | rex field=Model_Name "(?<devname>.*)_[0-9](/[0-9])?(/[0-9]{2})?" | eval Model_Name = if(isnotnull(devname),devname,Model_Name) | stats count as "Nb Alarmes" by "Model_Name","Network_Address" | fields Model_Name "Nb Alarmes" | sort -"Nb Alarmes" | head 5 $tk_time.earliest$ $tk_time.latest$ Alarmes les plus fréquentes index="Spectrum_tic" Creation_Date=* Acknowledged=false Severity=* | lookup spectrum_devices_dynamic.csv IP AS Network_Address OUTPUT Owner Location | search Owner="CEIP Reseau" Location=$tk_contexte$ | stats count by Severity,Network_Address,Model_Name,Alarm_Title,Location | sort -count | head 5 $tk_time.earliest$ $tk_time.latest$ {"Critical":#DC4E41,"Major":#F1813F,"Minor":#F8BE34}

Logs les plus fréquents (4 derniéres heures) host="*" | eval network_name=case(index=="eexp","eexp",index=="rth","rth",index=="rth_ge","rth",index=="rth_med","rth",index=="rms","rms",index=="rms_ge","rms",index=="rms_med","rms",index=="rmstel","rmstel",index=="rtdpih","rtdpih",index=="spp","spp") | lookup spectrum_devices_dynamic.csv IP AS host OUTPUTNEW Model_type,Hostname,Owner,Location | search Model_type="*Cisco*" Location=$tk_contexte$ | rex "%[A-Z_]+-(?<severity>[0-9])-[A-Z_]+" | search severity<=4 AND NOT UPDOWN AND NOT "*RADIUS-4-RADIUS*" AND NOT "*SYS-2-PRIVCFG_ENCRYPT*" | eval log = _raw | eval log = replace (log,"$[0-9a-f]+-[0-9a-f]+-[0-9a-f]+-[0-9a-f]+$","") | eval log = replace (log,"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)","<IP>") | eval log = replace (log,"[0-9a-fA-F]{4}[\\.:][0-9a-fA-F]{4}[\\.:][0-9a-fA-F]{4}","<Mac>") | eval log = replace (log,"(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]{3})?","<Heure>") | eval log = replace (log,"((Mon|Tue|Wed|Thu|Fri|Sat|Sun) )?(J[Aa][Nn]|F[Ee][Bb]|M[Aa][Rr]|A[Pp][Rr]|M[Aa][Yy]|J[Uu][Nn]|J[Uu][Ll]|A[Uu][Gg]|S[Ee][Pp]|O[Cc][Tt]|N[Oo][Vv]|D[Ee][Cc]) +(3[01]|[0-2]?[0-9]) ([1-2][0-9]{3})?","<Date>") | eval log = replace (log,"[1-2][0-9]{3}-(1[0-2]|0?[0-9])-(3[01]|[0-2]?[0-9])","<Date>") | eval log = replace (log,"[Uu][Nn][Ii][Tt][Ee][Pp]\\\\[A-Za-z0-9_]+","<Login>") | eval log = replace (log,"[\-A-Z_0-9\.]{4,5}H(\.)?[A-Z0-9]{3}(\.)?RZ[0-9]{2}(\.)?[A-Z]{2}[0-9]{2}(\.rms_step\.dpih\.fr|\.edf\.fr)?","<device name>") | eval log = replace (log,"<device name>_[0-9]/[0-9]/[0-9]{1,2}","<device name>_<Interface>") | eval log = replace (log,"(Fa(stEthernet)?|Gi(gabitEthernet)?|Te(ngigabitEthernet)?) ?[0-9]+/[0-9]+/?[0-9]*","<Interface>") | eval log = replace (log,"logged command:.*","logged command:<Cmd>") | eval log = replace (log,"([ ,:;=])[0-9]+([ ,:;])","\1<Num>\2") | eval log = replace (log,"([\[$])[0-9]+([\]$])","\1<Num>\2") | eval log = replace (log," [0-9]+$"," <Num>") | top 1 log by host, Hostname, index | fields host Hostname index log count | sort -count | head 5 -4h@m now