topic Re: Manipulating SNMP Data: how to correlate fields in Splunk Search

Manipulating SNMP Data: how to correlate fields

guimilare — Thu, 30 Mar 2017 17:15:34 GMT

Hello Splunkers.

I'm indexing some SNMP data from a server.
Here is one event indexed:

HOST-RESOURCES-MIB::hrStorageDescr."31" = "/" 
HOST-RESOURCES-MIB::hrStorageDescr."35" = "/tmp" 
HOST-RESOURCES-MIB::hrStorageDescr."36" = "/home" 
HOST-RESOURCES-MIB::hrStorageDescr."37" = "/usr" 
HOST-RESOURCES-MIB::hrStorageDescr."38" = "/usr/local" 
HOST-RESOURCES-MIB::hrStorageDescr."39" = "/var" 
HOST-RESOURCES-MIB::hrStorageDescr."40" = "/var/log" 
HOST-RESOURCES-MIB::hrStorageDescr."41" = "/opt" 
HOST-RESOURCES-MIB::hrStorageDescr."42" = "/opt/nds/data" 
HOST-RESOURCES-MIB::hrStorageDescr."43" = "/var/log/nds" 
HOST-RESOURCES-MIB::hrStorageDescr."44" = "/var/log/splunk" 
HOST-RESOURCES-MIB::hrStorageDescr."45" = "/boot"
HOST-RESOURCES-MIB::hrStorageSize."1" = "132061388" 
HOST-RESOURCES-MIB::hrStorageSize."3" = "168263816" 
HOST-RESOURCES-MIB::hrStorageSize."6" = "132061388" 
HOST-RESOURCES-MIB::hrStorageSize."7" = "94129872" 
HOST-RESOURCES-MIB::hrStorageSize."10" = "36202428" 
HOST-RESOURCES-MIB::hrStorageSize."31" = "1015393" 
HOST-RESOURCES-MIB::hrStorageSize."35" = "1015385" 
HOST-RESOURCES-MIB::hrStorageSize."36" = "1523090" 
HOST-RESOURCES-MIB::hrStorageSize."37" = "2030792" 
HOST-RESOURCES-MIB::hrStorageSize."38" = "1015385" 
HOST-RESOURCES-MIB::hrStorageSize."39" = "2030792" 
HOST-RESOURCES-MIB::hrStorageSize."40" = "2538497" 
HOST-RESOURCES-MIB::hrStorageSize."41" = "12696559" 
HOST-RESOURCES-MIB::hrStorageSize."42" = "5073149" 
HOST-RESOURCES-MIB::hrStorageSize."43" = "19045441" 
HOST-RESOURCES-MIB::hrStorageSize."44" = "7384608" 
HOST-RESOURCES-MIB::hrStorageSize."45" = "507684" 
HOST-RESOURCES-MIB::hrStorageUsed."1" = "102838612" 
HOST-RESOURCES-MIB::hrStorageUsed."3" = "102838612" 
HOST-RESOURCES-MIB::hrStorageUsed."6" = "4708464" 
HOST-RESOURCES-MIB::hrStorageUsed."7" = "94129872" 
HOST-RESOURCES-MIB::hrStorageUsed."10" = "0" 
HOST-RESOURCES-MIB::hrStorageUsed."31" = "188130" 
HOST-RESOURCES-MIB::hrStorageUsed."35" = "55800" 
HOST-RESOURCES-MIB::hrStorageUsed."36" = "1302834" 
HOST-RESOURCES-MIB::hrStorageUsed."37" = "868359" 
HOST-RESOURCES-MIB::hrStorageUsed."38" = "165013" 
HOST-RESOURCES-MIB::hrStorageUsed."39" = "1473096" 
HOST-RESOURCES-MIB::hrStorageUsed."40" = "1659690" 
HOST-RESOURCES-MIB::hrStorageUsed."41" = "9159791" 
HOST-RESOURCES-MIB::hrStorageUsed."42" = "779795" 
HOST-RESOURCES-MIB::hrStorageUsed."43" = "8276891" 
HOST-RESOURCES-MIB::hrStorageUsed."44" = "86509" 
HOST-RESOURCES-MIB::hrStorageUsed."45" = "13485"

What I want to do is something like the table below:

Partition       Avail.    Used      Used%
/               1015393   188130    18,52
/tmp            1015385   55800     5,49
/home           1523090   1302834   85,53
/usr            2030792   868359    42,75
/usr/local      1015385   165013    16,25
/var            2030792   1473096   72,53
/var/log        2538497   1659690   65,38
/opt            12696559  9159791   72,14
/opt/ser/data   5073149   779795    15,37
/var/log/ser    19045441  8276891   43,45
/var/log/splunk 7384608   86509     1,17
/boot           507684    13485     2,65

I'd like to use the "id" in each line to correlate to the same "id" in other line.
How can I do this?

Thanks in advance!

Re: Manipulating SNMP Data: how to correlate fields

somesoni2 — Thu, 30 Mar 2017 17:24:42 GMT

That is one single event right?

Re: Manipulating SNMP Data: how to correlate fields

guimilare — Thu, 30 Mar 2017 17:32:51 GMT

That's correct

Re: Manipulating SNMP Data: how to correlate fields

cpetterborg — Thu, 30 Mar 2017 17:35:36 GMT

It would be much easier if it were a separate event for each line. Then you could use eval to get the number, tie the event together by the number, extract the fields, then combine through a table and eval the %Used.

Re: Manipulating SNMP Data: how to correlate fields

somesoni2 — Thu, 30 Mar 2017 18:00:36 GMT

Agree. If you've control, can you change the line breaking of events to treat each line as separate events? If not, we need to do the same via search time operation, like this

your base search  
| rex max_match=0 "HOST-RESOURCES-MIB::hrStorage(?<temp>\w+\.\"\d+\" \= \"[^\"]+\")" 
| table temp | mvexpand temp
| rex field=temp "(?<Metrics>\w+)\.\"(?<ID>\d+)\" \= \"(?<Val>[^\"]+)\""
| chart values(Val) over ID by Metrics 
| rename Descr as Partition Size as Avail 
| table Partition Avail Used | eval "Used%"=round(Used*100/Avail,2)

Re: Manipulating SNMP Data: how to correlate fields

cpetterborg — Thu, 30 Mar 2017 18:28:43 GMT

somesoni2 - That is great that you had that so quickly! Definitely do this as an answer, then if guimilare can't separate the event in to individual lines, he can accept that as the answer. I think this has some great potential for plenty of other people and having ti flagged as answered and accepted will help. You really have some great answers here and I think that sometimes your answers just get hidden down in the comments. Heaven knows you don't need the karma, but it would help know that a good and accepted answer is here. Thanks!!! 🙂 🙂

Re: Manipulating SNMP Data: how to correlate fields

guimilare — Thu, 30 Mar 2017 18:46:55 GMT

Hi somesoni2, it worked perfectly!! Thank you very much!
Our team is evaluating both event breaking methods to determinate wich on of them will give us simpler SPL searches.

Thank you both somesoni2 and cpetterborg for your answers! They helped a lot!

Re: Manipulating SNMP Data: how to correlate fields

DalJeanis — Thu, 30 Mar 2017 18:55:57 GMT

I have to agree. Sometimes I just change somesoni2's comments to answers myself... because often they are.