https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696531#M236720 <P>That's because you're collecting the contents of the event in a field called logEvent. If you want to collect this as raw event, you obviously have to set the _raw field.</P><P>You are aware that using other sourcetype than stash (or stash_hec for output_format=hec) uses up your license?</P><P>You can also have issues with timestamps if you don't set _time properly before collecting (and generally you should set all default metadata fields)</P> Fri, 16 Aug 2024 18:54:49 GMT PickleRick 2024-08-16T18:54:49Z https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696529#M236719 <P>I want to manually add an event to an index, using collect seems to be the most straight forward method. I am asking for a method to use makeresults and eval to add field quotes like the native Aruba SNMP log format to send in raw format to an index</P> <P>Background: We had a power outage at one of our sites. Report and Alert searches look for active user Wi-Fi sessions. Because&nbsp;the access points were offline, when users left for the day the Wi-Fi session end log events were not sent from Aruba to Splunk&nbsp;, which is causing false positive alerts.</P> <P>The Aruba SNMP logs look like this:&nbsp;</P> <P><SPAN class="">timestamp=1723828026</SPAN> <SPAN class="">notification_from_address</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">172.20.0.69</SPAN><SPAN>" </SPAN><SPAN class="">notification_from_port</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">34327</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::mib-2.1.3.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">10679000</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::snmpModules.1.1.4.1.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">1.3.6.1.4.1.14823.2.3.1.11.1.2.1219</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">0x07e808100a0706002d0700</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">192.168.50.54</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">0xd8be1f2f9c1a</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">0x2462ce8053b1</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">RAP1053a</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">0</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">0</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">2</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">11</SPAN><SPAN>" </SPAN><SPAN class="">SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0</SPAN> <SPAN class="">=</SPAN><SPAN> "</SPAN><SPAN class="">1</SPAN><SPAN>"</SPAN></P> <P><SPAN>My search:</SPAN></P> <LI-CODE lang="markup">| makeresults | eval timeStamp=now() | eval logEvent="timestamp=1723830464 notification_from_address = \"172.20.0.17\" notification_from_port = \"43015\" SNMPv2-SMI::mib-2.1.3.0 = \"2063900\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = \"0x07e8080e0d310f002d0700\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = \"192.168.50.67\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = \"0xd8be1f7d1076\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = \"0x482f6b06b171\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = \"AP7\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = \"2\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = \"10\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = \"1\"" | collect index=aruba_snmp sourcetype=snmp_traps output_format=raw testmode=true </LI-CODE> <P>The search result looks like what I want but when sent in raw format the escape \ are visible. How do I obscure or remove the \ in raw format? Thank you for any help in advance.</P> Fri, 16 Aug 2024 21:09:07 GMT https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696529#M236719 Seawheels51 2024-08-16T21:09:07Z https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696531#M236720 <P>That's because you're collecting the contents of the event in a field called logEvent. If you want to collect this as raw event, you obviously have to set the _raw field.</P><P>You are aware that using other sourcetype than stash (or stash_hec for output_format=hec) uses up your license?</P><P>You can also have issues with timestamps if you don't set _time properly before collecting (and generally you should set all default metadata fields)</P> Fri, 16 Aug 2024 18:54:49 GMT https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696531#M236720 PickleRick 2024-08-16T18:54:49Z https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696725#M236787 <P>I was not aware of the licensing implications, thank you and I'll stay in compliance.</P> Mon, 19 Aug 2024 14:47:31 GMT https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696725#M236787 Seawheels51 2024-08-19T14:47:31Z https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696730#M236790 <P>I mean you use up additional license amount for indexing additional data using the collect command unless you use the stash or stash_hec sourcetypes. So each events you firstly index into index A and then search, transform and collect into index B will cost you twice (roughly - depending on what you do with it in terms of processing before collecting) the license usage that it uses just be indexing it into index A. Whether you're within your license limits or not depends of course on the overall amount of ingested data and your license size.</P> Mon, 19 Aug 2024 15:01:42 GMT https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696730#M236790 PickleRick 2024-08-19T15:01:42Z https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696736#M236793 <P>Appreciate the clarification, I have 30%+ headroom with my license so a couple of onetime events should not be an issue.</P> Mon, 19 Aug 2024 15:21:44 GMT https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696736#M236793 Seawheels51 2024-08-19T15:21:44Z https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696738#M236794 <P>I have the collect search working, eval _raw="field1","field2", ...</P><P><A href="https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConversionFunctions" target="_blank">Conversion functions - Splunk Documentation</A></P><P>Thank you for pointing me in the right direction and well done <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a></P> Mon, 19 Aug 2024 15:42:08 GMT https://community.splunk.com/t5/Splunk-Search/collect-Aruba-SNMP-and-quotes/m-p/696738#M236794 Seawheels51 2024-08-19T15:42:08Z