TrapReplay
Overview
The Unified Assurance Event Trap Replay gathers historical events from the Event Analytics database and creates a replay script that can be run separately.
Prerequisites
-
You must have the Details.Replay populated through rules to support this functionality. Review the read-only rules and copy or merge changes into the appropriate branch (e.g. Default read-write branch (default)).
- Configuration -> Rules -> Core Rules (core) -> Default read-only branch (RO_LOCKED) -> Collection -> Event -> Trap -> base.rules
$Event->{Details}{Replay} = $replay;
Administration Details
The following list shows the technical details needed for advanced administration of the application:
-
Package - coreProcessing-app
-
Synopsis:
./TrapReplay [OPTIONS] > /tmp/replay.sh
# EXAMPLE: time range of 1 day
./TrapReplay -s now-1d > /tmp/replay.sh
# EXAMPLE: multiple devices and a single IP address
./TrapReplay -d test1.example.com -d test2.example.com -i 192.0.2.1 > /tmp/replay.sh
# EXAMPLE: filter on Cisco traps only
./TrapReplay -t 1.3.6.1.4.1.9 > /tmp/replay.sh
# EXAMPLE: run replay script
export HOSTFQDN=a1col.example.com
/tmp/replay.sh
- Options:
--Dry-Run Print the query that was generated, but do not run
-d, --Device DeviceName to match in the "Node" field (may be repeated)
-e, --EndTime The end of the time restriction inclusive (Epoch, RFC 3339, time literal) [Default: now]
* 1234567890
* 2023-01-31T23:59:59Z
* now
-i, --IPAddress IPv6 or IPv4 address to match in the "IPAddress" field (may be repeated)
-l, --Limit Limit the number of results [Default: 1000]
-s, --StartTime The start of the time restriction inclusive (Epoch, RFC 3339, time literal) [Default: now-1h]
* 1234567890
* 2023-01-01T00:00:00Z
* now-30d
-t, --TrapOID Trap OID tree or notification to filter results on
-u, --Updates Include updated (de-duplidated and/or modified) events. May cause more results than desired.
-?, -h, --Help Print usage and exit