-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathqueryPackSNMPTrap.json
34 lines (34 loc) · 1.57 KB
/
queryPackSNMPTrap.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[
{
"label": "Search SNMP Trap log source bad keywords",
"duration": "24hour",
"query": "_lm.logsource_type=\"snmptrap\" and (\"error\" or \"fail\" or \"critical\" or \"fatal\" or \"terminate\" or \"kill\" or \"exception\" or \"timeout\")",
"UseCase": "",
"commentGroup": "SNMP Trap",
"commentQueryType": "Basic"
},
{
"label": "Search SNMP Trap log source good keywords",
"duration": "24hour",
"query": "_lm.logsource_type=\"snmptrap\" and (\"success\" or \"complete\" or \"finish\")",
"UseCase": "",
"commentGroup": "SNMP Trap",
"commentQueryType": "Basic"
},
{
"label": "Aggregate for number of errors by day",
"duration": "24hour",
"query": "_lm.logsource_type=\"snmptrap\" and (\"error\" or \"fail\" or \"critical\" or \"fatal\" or \"terminate\" or \"kill\" or \"exception\" or \"timeout\") | bucket(span=24h) | count by _bucket | sort by _bucket desc",
"UseCase": "",
"commentGroup": "SNMP Trap",
"commentQueryType": "Aggregate"
},
{
"label": "Aggregate for number and type of informational Palo Alto traps received",
"duration": "24hour",
"query": "_lm.logsource_type=\"snmptrap\" AND panSystemSeverity = \"critical\" | count by panSystemDescription | sort by _count desc | limit 15",
"UseCase": "Taking advantage of varbinds in the snmptrap datasource to write queries that do not require regex or need to parse",
"commentGroup": "SNMP Trap",
"commentQueryType": "Aggregate"
}
]