topic Custom Search - Help needed. in Splunk Search

Custom Search - Help needed.

nandipatisunil — Tue, 22 Oct 2013 12:55:25 GMT

I have trap data coming onto my Splunk Server ... the data looks like this

1.3.6.1.4.1.3279.1.1.8.1.35.2 = ObjectSyntax: simple=SimpleSyntax: string=application_name

my key is "1.3.6.1.4.1.3279.1.1.8.1.35.2" and my value is at the end "application_name"

can some one help me with the search query here.

lukejadamec — Mon, 28 Oct 2013 15:12:39 GMT

What are you searching for exactly?

nandipatisunil — Mon, 28 Oct 2013 15:17:32 GMT

I am trying to create custom key-value pairs ... my key is "1.3.6.1.4.1.3279.1.1.8.1.35.2" and my value is at the end "application_name".

jtrucks — Mon, 28 Oct 2013 15:51:21 GMT

Assumption: Every event has the same data between the OID and the application_name.

Use a transform. Perhaps something like this (based on an answers entry😞

In props.conf do:

[yoursourcetypehere]
REPORT-myoidextract = getmyoiddata

Then in transforms.conf do:

[getmyoiddata]
REGEX = (?.*)\s=\sObjectSyntax:\ssimple=SimpleSyntax:\s+string=(?.*)
FORMAT = $1::$2

See if that works (or muss with it some if it's not exact).

nandipatisunil — Tue, 29 Oct 2013 01:43:31 GMT

This did my job

REGEX = \s1.3.6.1.4.1.3279.1.1.8.1.35.2\s=\sObjectSyntax:\s+simple=SimpleSyntax:\s+string=(?.*)

... but had to also mention the below part ... since it was writing the rest of the message also to the above one.

\s+\s+\s1.3.6.1.4.1.3279.1.1.8.1.35.3\s=\sObjectSyntax:\s+simple=SimpleSyntax:\s+string=(?.*)

Thanks Mr. JTrucks.