topic Re: SNMP Data Events, need help matching indexed values with regex in Deployment Architecture

SNMP Data Events, need help matching indexed values with regex

loren3737 — Wed, 09 Jan 2019 23:38:09 GMT

I am using the SNMP Modular Input package found here: https://splunkbase.splunk.com/app/1537/

My Splunk events appear as the following:

MYMIB::errorCounter."0" = "10" MYMIB::errorCounter."1" = "12" MYMIB::errorCounter."2" = "13" MYMIB::errorCounter."3" = "17" MYMIB::elementID."0" = "compid1" MYMIB::elementID."1" = "amescomp2" MYMIB::elementID."2" = "othercompid" MYMIB::elementID."3" = "hi"
sourcetype = snmp_ta

I am trying to match each errorCounter and elementID with the same index, denoted by ."". I want to create a time chart that will show the change in errorCount for each unique elementID over time. Currently, both the fields and indexes are not being recognized by Splunk. I tried using the REX command to extract data but I am having a hard time finding a solution that will work when I add another 100+ indexes of data per event. Any help would be appreciated thank you so much.

Re: SNMP Data Events, need help matching indexed values with regex

harsmarvania57 — Fri, 11 Jan 2019 11:53:26 GMT

Hi,

Try below query

<yourBasesearch>
 | rex "::(?<a>\w+)\.\"(?<b>\d+)\"\s\=\s\"(?<c>\w+)\"" max_match=0
 | eval d=mvzip(a,b), e=mvzip(d,c)
 | mvexpand e
 | eval f=mvindex(split(e,","),0), h=mvindex(split(e,","),2)
 | eval {f}=h
 | stats list(elementID) as elementID, list(errorCounter) as errorCounter by _time
 | eval i = mvzip(elementID,errorCounter)
 | mvexpand i
 | eval elementID=mvindex(split(i,","),0), errorCounter=mvindex(split(i,","),1)
 | timechart avg(errorCounter) by elementID

Re: SNMP Data Events, need help matching indexed values with regex

loren3737 — Tue, 29 Sep 2020 22:41:54 GMT

Thank you so much for your response! It helped out a lot. I was able to adjust the query slightly to get just about what I wanted. Unfortunately, in the xyseries portion of my query below "| xyseries _time indexes myerrorCount" I would like to replace indexes with myelementID but when I do so my visualization stops appearing. Is there something that I'm missing?

sourcetype="snmp_ta"
| rex "::(?\w+).\"(?\d+)\"\s=\s\"(?\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval m=mvfilter(match(e, ".errorCount."))
| eval n=mvfilter(match(e, ".elementID."))
| eval indexes=mvindex(split(m,","),1), myerrorCount=mvindex(split(m,","),2), myelementID=mvindex(split(n,","),2)
| xyseries _time indexes myerrorCount

Re: SNMP Data Events, need help matching indexed values with regex

harsmarvania57 — Mon, 14 Jan 2019 09:39:48 GMT

It looks like with your query , values existed on all three columns (_time, indexes and myerrorCount for | xyseries _time indexes myerrorCount and that's why it is displaying data, however when you try to run | xyseries _time indexes myelementID that does not have values in indexes where elemetnID value is present and due to that it is not generating any output.