Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
0
Helpful
1
Replies

EEM NetFlow Config

Mark Ciecior
Level 1
Level 1

‎09-08-2016 01:04 PM

I have a simple EEM script that I can fire manually without a problem.  I'd like it to fire when a particular NetFlow conversation exceeds a certain number of bytes.

Current Flexible NetFlow config:

flow record NTArec
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect application name
flow exporter server01
 destination 10.0.0.1
 source GigabitEthernet0/0.10
 transport udp 2055
 export-protocol ipfix
 template data timeout 60
 option application-table timeout 60
 option application-attributes timeout 300
flow monitor <monitor_name>
 description NetFlow nbar
 exporter server01
 cache timeout inactive 30
 cache timeout active 60
 record NTArec

Current applet:

event manager applet HighBandwidth authorization bypass
 event none
 action 1.0 cli command "enable"
 action 2.0 cli command "show flow monitor <monitor_name> cache sort highest counter bytes top 5 format table"
 action 3.0 mail server "10.1.1.1" to "first.last@domain.com" from "router@company.com" subject "EEM Test" body "$_cli_result"

This sends me the email I expect when I run it manually.  But when I try to change the event to type 'nf' I *always* get the below error.

Router(config-applet)#event nf event-type create event1 entry-val 5000 entry-op ge field counter bytes monitor-name Test
Router(config-applet)#exit
%EEM: Failed to register event(s) for applet HighBandwidth: 'Embedded Event Manager' detected the 'warning' condition 'invalid parameters'

What am I doing wrong?

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎09-14-2016 07:02 AM

Hi

I'm sorry for my quick answer but I'm through my iphone and would like to share with you the syntax.

You need to configure exit-value to re arm the policy and you need to specify the monitor-name as well.

The full syntax should looks like (just an example):

event nf monitor-name "<monitor_name>" event-type create  exit-event-type delete event1 entry-value "5" field counter bytes entry-op lt exit-value "5" exit-op lt

For more details, take a look at : http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/eem-cr-e2.html

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents