topic Snmpwalk KV Field Extraction in Getting Data In

Snmpwalk KV Field Extraction

ephemeric — Tue, 29 Jan 2013 18:37:23 GMT

Greetz,

Man, do I feel stupid tonight, I can't even get this simple task working.
Please can someone help me?

I have like so from a snmpwalk scripted input:

IF-MIB::ifOutNUcastPkts.1 = Counter32: 420714
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 16

props.conf:
[snmp]
TRANSFORMS-snmpwalk = snmpwalk

transforms.conf:
[snmpwalk]
REGEX = (?m)IF-MIB::(.?)\s=\s.?:\s(.*)
FORMAT = $1::$2

I know the regex can be improved.

What am I doing wrong here?
I just want the KV fields extracted!
I keep getting 'Counter32' for the field value.

Thank you.

Re: Snmpwalk KV Field Extraction

sbrant_splunk — Tue, 29 Jan 2013 19:25:27 GMT

Yes, you are getting the default key/value pairs because of the '='. Try this regex in place of yours:

IF-MIB::(.+)\s=\s\w+:\s(\d+)$

Re: Snmpwalk KV Field Extraction

sbrant_splunk — Tue, 29 Jan 2013 20:22:39 GMT

Although you have a field name of Counter32, are you also seeing field names with this format? "ifOutDiscards.2"

Re: Snmpwalk KV Field Extraction

sspencer_splunk — Wed, 30 Jan 2013 13:51:19 GMT

If you're not terribly worried about what the raw data looks like once it's within Splunk, you could easily use the interface table that SNMP provides. (You're really not worried about the raw data, right? 🙂

Splunk's "multikv" command easily breaks down the resulting SNMP table into searchable fields and values. And since you're SNMP walking, you might as well use snmptable since it's really just a more efficient way to walk.

Here's my one-line scripted input (stored in a bash script):

snmptable -v2c -c public 192.168.10.1 if

The resulting table is dropped directly into my Splunk index (every 10 minutes) and that's really all there is to it. From there I simply pipe my search to the multikv command and Splunk automatically discovers the key/value pairs and extracts them both for me:

sourcetype=snmpwalk index=snmp | multikv

Re: Snmpwalk KV Field Extraction

ephemeric — Mon, 28 Sep 2020 13:12:24 GMT

Sorry, I knew it was something simple, and the above regex was copy and paste broken:

[snmp]
KV_MODE = none
REPORT-snmpwalk = snmpwalk

[snmpwalk]
REGEX = IF-MIB::(\w+\.\d+)\s=\s\w+:\s(.*?)$
FORMAT = $1::$2
CLEAN_KEYS = 1
MV_ADD = 0
disabled = 0

Re: Snmpwalk KV Field Extraction

ephemeric — Wed, 30 Jan 2013 15:24:49 GMT

Wow! Thank you, I tried this and it works. But stupid me I see only one field for ifInOctets and ifOutOctets. How do I get the octets per interface?

Re: Snmpwalk KV Field Extraction

sspencer_splunk — Thu, 31 Jan 2013 00:56:39 GMT

Actually, I didn't notice the problem until you mentioned it. Then, it was obvious. My first thoughts are to manually search based on the interface you're curious about. That can be done with the "ifIndex" field that multikv extracts automatically. Unfortunately, it seems that the "ifDescr" field isn't being extracted in my Splunk instance. That would really be a better field to use because it persists over time, while ifIndex can change. (SNMP interface index numbers change on occasion.)

sourcetype=snmpwalk index=temp | multikv | search ifIndex="2"

Re: Snmpwalk KV Field Extraction

ephemeric — Thu, 31 Jan 2013 10:19:14 GMT

I noticed that not all events were being extracted too... but thank you for giving me ideas, a different angle.