Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3874
Views
5
Helpful
5
Replies

EEM applet to match specific syslog pattern

Go to solution
Nithya Narayan
Level 1
Level 1

‎03-27-2021 09:34 AM

Hi 

 

i am trying to execute a EEM script by matching on syslog pattern. The syslog is about IP SLA violation 

this is the syslog i get when there is violation 

*Mar 27 16:03:49.565: %RTT-3-IPSLATHRESHOLD: IP SLAs(1): Threshold exceeded for rtt

 

However syslog pattern match only works if match only  "Threshold exceeded for rtt"

is there a way we can match the entire message?

the reason is i have multiple IP SLAs defined each associated to an interface. 

so i want to be able to match on IP SLAs(1) in the message to take an eem action on say interface G1, if it comes as IP SLAs(2): Threshold exceeded for rtt - i want to take an action on interface g2 

 

this is the entire EEM and applet 

event manager applet NAT-DISABLE-INTF1 authorization bypass
event syslog pattern " %RTT-3-IPSLATHRESHOLD: IP SLAs(1): Threshold exceeded for rtt "
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "no ip nat outside"
action 5.0 cli command "end"
action 6.0 cli command "wr mem"
exit

 

any guidance 

 

Nithya

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎03-27-2021 03:52 PM - edited ‎03-28-2021 12:02 AM

Hello,

 

the problem are the (). Replace these with dots. Also make sure to get rid of the empty spaces at the beginning and at the end of the pattern.

 

event manager applet NAT-DISABLE-INTF1 authorization bypass
--> event syslog pattern "%RTT-3-IPSLATHRESHOLD: IP SLAs.1.: Threshold exceeded for rtt"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "no ip nat outside"
action 5.0 cli command "end"
action 6.0 cli command "wr mem"

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-27-2021 10:27 AM

how about doing regex "SLAs(1)"  or SLAs(2) and take action with if condition kind

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Nithya Narayan
Level 1
Level 1
In response to balaji.bandi

‎03-27-2021 10:50 AM

thanks Balaji

 

can you provide a sample regex statement and show me how and where to use.  

 

Nithya

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Nithya Narayan

‎03-27-2021 11:52 AM

example :

 

event syslog pattern " %RTT-3-IPSLATHRESHOLD,*"
action 1.0 regexp "IP SLAs ([0-9\/]+)" "$_syslog_msg" match variable
action 2.0 puts "variable = $variable"

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎03-27-2021 03:52 PM - edited ‎03-28-2021 12:02 AM

Hello,

 

the problem are the (). Replace these with dots. Also make sure to get rid of the empty spaces at the beginning and at the end of the pattern.

 

event manager applet NAT-DISABLE-INTF1 authorization bypass
--> event syslog pattern "%RTT-3-IPSLATHRESHOLD: IP SLAs.1.: Threshold exceeded for rtt"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "no ip nat outside"
action 5.0 cli command "end"
action 6.0 cli command "wr mem"

Go to solution
Nithya Narayan
Level 1
Level 1
In response to Georg Pauwen

‎03-28-2021 12:10 AM

Thanks Georg 

 

that worked 

0 Helpful
Customers Also Viewed These Support Documents