https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179187#M35918 <P>I don't entirely follow why you need to split this into separate events? You're not limited to one extraction per event so you can just add all those extractions and have them apply to one single event instead.</P> Mon, 10 Mar 2014 07:05:02 GMT Ayn 2014-03-10T07:05:02Z https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179186#M35917 <P>Hello Experts,</P> <P>I'm using snmp-modular--input app to get my device stats using multiple object ids (get next, not bulk). The result is shown below. </P> <P><EM>timestamp1 SNMPv2-SMI::enterprises."14685.3.1.5.1.0" = "48" SNMPv2-SMI::enterprises."14685.3.1.52.2.0" = "1" SNMPv2-SMI::enterprises."14685.3.1.52.3.0" = "14"</EM> </P> <P>I have problem in splitting above result like this:-<BR /> <EM>timestamp1 SNMPv2-SMI::enterprises."14685.3.1.5.1.0" = "48"</EM></P> <P><EM>timestamp1 SNMPv2-SMI::enterprises."14685.3.1.52.2.0" = "1"</EM></P> <P><EM>timestamp1 SNMPv2-SMI::enterprises."14685.3.1.52.3.0" = "14"</EM> </P> <P>I can then make use of rex expressions to get "14685.3.1.5.1.0" as field1 and "48" as field2 and use this as a name-value pair for dashboards.</P> <P>Could someone please tell me how to split? or any other approach?</P> Mon, 10 Mar 2014 01:54:31 GMT https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179186#M35917 ragkna 2014-03-10T01:54:31Z https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179187#M35918 <P>I don't entirely follow why you need to split this into separate events? You're not limited to one extraction per event so you can just add all those extractions and have them apply to one single event instead.</P> Mon, 10 Mar 2014 07:05:02 GMT https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179187#M35918 Ayn 2014-03-10T07:05:02Z https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179188#M35919 <P>I have below rex expression which extract fields from above event. </P> <UL> <LI>source=snmp |eval _raw = split(_raw, "SNMPv2-SMI::enterprises.") | mvexpand _raw|rex "[^\"\n]*\"(?P<FIELDNAME1>[^\"]+)\"(?P<FIELDNAME2>[^\"]+)\"(?P<FIELDNAME3>[^\"]+)"</FIELDNAME3></FIELDNAME2></FIELDNAME1></LI> </UL> <P>Result of above query idexed to:<BR /> FIELDNAME1=14685.3.1.5.1.0, 14685.3.1.52.2.0 and 14685.3.1.52.3.0<BR /> FIELDNAME2= '=' (Assigned to 'equal to')<BR /> FIELDNAME3= 48,1, and 14</P> <P>Now, I'm unable to correlate between FIELDNAME1 and FIELDNAME3, which I need as name-value pair. If I split this into multiple and extract then resulted index holds FIELDNAME1='14685.3.1.5.1.0' and FIELDNAME3='48'. I do not need to correlate in this case. <BR /> Please let me know If you can give better idea.</P> Mon, 28 Sep 2020 16:04:51 GMT https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179188#M35919 ragkna 2020-09-28T16:04:51Z https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179189#M35920 <P>Ayn- Please check below comment..</P> Mon, 10 Mar 2014 11:16:58 GMT https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179189#M35920 ragkna 2014-03-10T11:16:58Z https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179190#M35921 <P>Can someone pl give insight on this problem?</P> Tue, 11 Mar 2014 23:25:02 GMT https://community.splunk.com/t5/Getting-Data-In/parse-snmp-result/m-p/179190#M35921 ragkna 2014-03-11T23:25:02Z