Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1860
Views
0
Helpful
1
Replies

EEM applet calls another EEM applet

fsebera
Level 4
Level 4

‎02-18-2020 12:50 PM

Hi folks,

I am trying to setup a dynamic packet capture with EEM and then after the capture captures some predetermined amount of data automatically off-loads that .pcap file to my server.  I have figured out how to dynamically trigger the EEM script but stuck with off-loading the file to my TFTP server.

 

PROBLEM: The dynamic capture starts once G3 goes down (which is what I want) but then immediately copies an "empty" file to my tftp server (which is what I do not want). I have tried using a delay option but since I don't know when I will get the specified number of packets, it may fail prematurely. I am looking to copy the file only after some trigger has been reached EX: When monitor capture has captured 20 packets, a syslog message  Packet Count Reached is sent.

 

EEM applet

track 1000 ip route 192.168.1.1/32 reachability

 

event manager applet EEM-PCAP

event track 1000 state any

action 1.1 track read

action 1.3 info type routername

action 1.5 comment Run sniffer when G3 goes down

 

action 2.1 if $_track_state eq "down"

action 2.3 cli command "enable"

action 2.5 cli command "mon cap INT_STATE limit packets 20 int g4 both match ipv4 any any start"

action 2.7 syslog msg "Now sniffing packets on GigabitEthernet 4"

action 2.9 end

 

action 3.1 if $_track_state eq "up"

action 3.3 cli command "enable"

action 3.5 puts "(R) $_info_routername is now up"

action 3.7 end

 

event syslog pattern "Packet Count Reached"

action 4.1 cli command "enable"

action 4.3 cli command "monitor capture INT_STATE export tftp://192.168.1.55/INT_STATE.pcap

 

 

Thank you

Frank

Labels:
0 Helpful
1 Reply 1

fsebera
Level 4
Level 4

‎02-19-2020 11:54 AM

UPDATE:!!!

 

OK so I now have this working - rather nicely I must admit!! :) although I always receive this error message -

%HA_EM-3-FMPD_ERROR: Error executing applet EEM-PCAP statement

 

The error message seems to be cosmetic in nature as the EEM applets run flawlessly but to any event (being new to EEM) I have searched the web for reasons and possible answers to this error message. This error message covers a wide range of reasons but none matching my applet configuration.

 

Anyone have clarification on this error message?

 

Thank you

Frank

0 Helpful
Customers Also Viewed These Support Documents