topic Re: Creating fields from trap in Splunk Search

Creating fields from trap

jduraes — Thu, 28 Apr 2011 19:09:01 GMT

Hi all,

I may be going at this in the completely wrong way, but I'm looking at extracting information from traps sent by a system, and then using them to generate reports.

So I have this trap:

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.1230.2.7.4.3 SNMPv2-SMI::enterprises.1230.2.7.4.10.4 = INTEGER: 6 SNMPv2-SMI::enterprises.1230.2.7.4.10.5 = STRING: "neptune"

The system is picking up the fields ok, like "SNMPv2-SMI::enterprises.1230.2.7.4.10.5", but then its content is "STRING: \"neptune\"".

I'm looking at removing the word "STRING: ", both quotes (""), and just keeping the rest (neptune), preferably somehow placing that into a field named "planet".

My report will then look at displaying how many times each planet was observed, sort of thing.

Is this possible? Does this reasoning make any sense? I was thinking about using rex for this, but I must be way off the mark because nothing seems to work for me...

I was trying: | rex field=_raw "STRING: \"(?.*)\""

Help, please?

Thanks

Re: Creating fields from trap

JSapienza — Thu, 28 Apr 2011 19:50:30 GMT

Something like this should work ** (change to your sourcetype)

sourcetype="?????" | head 100 | rex "(?im)STRING:\s\\"(?P.+?)\\"" | top 50 PLANET

Re: Creating fields from trap

jduraes — Thu, 28 Apr 2011 19:56:55 GMT

Thank you. I guess I'm more of a beginner than I thought. The key was in specifying the sourcetype; I was just casting the | rex... on its own. 😉

Re: Creating fields from trap

southeringtonp — Thu, 28 Apr 2011 19:57:33 GMT

Getting rid of the quotes makes it a little messy, at least if you want to allow for the possibility of spaces within the quoted string.

Here's one way:

#transforms.conf
[snmp-fields]
REGEX = \s(\S+)\s*=\s*\w+: (")?((?<=")[^"]+|(\S+))
FORMAT = $1::$3

#props.conf
[snmp]
KV_MODE = none
REPORT-snmp = snmp-fields

The trick is to consume the opening quotation mark first so that it isn't part of the capture group (i.e., the extracted field).

Then, within the capture group, use negative lookbehind to determine whether you're matching inside a quoted section (match up to the end-quote), or just matching a block of non-whitespace.

Another way would be to create two separate transforms -- one for quoted string values and one for integer and other non-string types.

Re: Creating fields from trap

jduraes — Thu, 28 Apr 2011 20:26:51 GMT

I guess you're giving me something extra to read about. Thank you for that. I'll try to make something out of it, and see how I could use it. Again, thanks.

Re: Creating fields from trap

rasingh — Tue, 23 Aug 2011 22:26:20 GMT

If the trapserver is net-snmp, you can use -OQ option to remove the type (STRINGS in this case).