topic Re: Trying to slip SNMP data on index or through rex in Splunk Search

Trying to slip SNMP data on index or through rex

srobinsonxtl — Wed, 29 Nov 2017 19:15:00 GMT

All,

I have the following Data: (192 of these) and trying to split the data into a multi-lined event, to extract the last number as 1.1.3.1.3.2.1.25.1 and the number after the = sign as the .

11/29/17

11:04:30.000 AM
SNMPv2-SMI::enterprises."1.1.3.1.3.2.1.25.1" = "1162" SNMPv2-SMI::enterprises."1.1.3.1.3.2.1.25.2" = "0"

I am trying to do this on index but can't seem to get it to work, or I can't get it to work using rex. Any help will be much appreciated.

Thanks,

Stephen Robinson

Re: Trying to slip SNMP data on index or through rex

richgalloway — Wed, 29 Nov 2017 19:36:52 GMT

Is it currently a multi-line event (it looks like one in the question)?
What are your current props.conf/transforms.conf settings for that sourcetype?
What will the number after the = sign be extracted as?

Re: Trying to slip SNMP data on index or through rex

srobinsonxtl — Tue, 29 Sep 2020 16:58:56 GMT

No it's not a multi-lined event at least I don't believe so. Here is my props.conf information and I don't have anything in Transforms for this sourcetype

[sourcetype_test]
LINE_BREAKER=([\r\n]+\s*)SNMPv2-SMI
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

1.1.3.1.3.2.1.25.{1} that value should be {id} and "1.1.3.1.3.2.1.25.1" = <"1162"> this value should be <"Reading">

I am leveraging the SNMP Modular Input application. I really appreciate you getting back to me so quickly.

THanks,

Stephen Robinson

Re: Trying to slip SNMP data on index or through rex

srobinsonxtl — Wed, 29 Nov 2017 19:46:56 GMT

At the end of the day, I would like to see the {id} as the field, and as the value, so I would have 192 fields with 192 values.

1 | 2 | 3 | 4| .....192
20| 43 | 80 | 100 | ..... 0

If this make sense.

Thanks,

Stephen Robinson

Re: Trying to slip SNMP data on index or through rex

harsmarvania57 — Thu, 30 Nov 2017 03:47:22 GMT

Still I am not clear how many SNMPv2-SMI in single line and do you want to extract all MIB values from same line If so then you can try something like this

    | makeresults
    | eval raw="11/29/17 11:04:30.000 AM SNMPv2-SMI::enterprises.\"1.1.3.1.3.2.1.25.1\" = \"1162\" SNMPv2-SMI::enterprises.\"1.1.3.1.3.2.1.25.2\" = \"0\""
    | makemv delim="::" raw
    | mvexpand raw
    | rex field=raw "enterprises\.\"\d+\.\d+\.\d+\.\d+\.\d+\.\d+\.\d+\.\d+\.(?<id>\d+)\"\s\=\s\"(?<Reading>\d+)\""

Re: Trying to slip SNMP data on index or through rex

richgalloway — Thu, 30 Nov 2017 13:57:58 GMT

It's seems your LINE_BREAKER setting will cut off the timestamp from the event. Is that really what you want?

To extract the "id" and "Reading" fields from the event, this regex works on regex101.com with your sample event: (?<id>\d+)".*=\s"(?<Reading>\d+)". For example:

<your basic search> | rex "(?<id>\d+)\".*=\s\"(?<Reading>\d+)" | table id Reading

Re: Trying to slip SNMP data on index or through rex

srobinsonxtl — Tue, 29 Sep 2020 16:59:30 GMT

Thank you for your response. I tried this and it doesn't seem to work. I have 192 SNMPv2-SMI that comes in on the single line for each poll.

Working through some trial and errors yesterday, I came up with the following but its not vary efficient.

index="dev" | eval _raw = split(_raw, "SNMPv2-SMI::enterprises.") | rex field=_raw "10381.1.3.1.3.2.1.1.?(?\d+)[\"]\s=\s[\"]?(?\d+)[\"]" | table _time,cid,vid | eval reading=mvzip(cid, vid) | fields - cid,vid| mvexpand reading | eval final=mvzip(reading, _time) | mvexpand final | makemv final delim="," | fields - _time,reading | eval time=mvindex(final, 2) | eval device=mvindex(final, 0) | eval data=mvindex(final, 1) | fields - final | table time,device,data | convert timeformat="%Y/%m/%d %T" mktime(time) as _time | fields - time | eval {device}=data | fields - device,data | fillnull | timechart sum() as (Device) usenull=f useother=f | addtotals as Total

Re: Trying to slip SNMP data on index or through rex

srobinsonxtl — Thu, 30 Nov 2017 16:43:19 GMT

Thank you for responding to my questions, this works, but just returns the first id and Reading, the end goal is to extract all 192 values that are on a single line, and output the id and reading into a multi-lined event. I would like to do it at index time, but it doesn't seem to be working using the props.conf I put in place.

Re: Trying to slip SNMP data on index or through rex

richgalloway — Thu, 30 Nov 2017 18:33:30 GMT

Thanks for clarifying. Here is an updated query for search-time extraction.

<your basic search> | rex max_match=0 "(?<id>\d+)\"\s+=\s\"(?<Reading>\d+)" | eval fields=mvzip(id, Reading) | mvexpand fields | rex field=fields "(?<id>\d+),(?<Reading>\d+)" | table id Reading

At index time you should be able to use the same regex string ("(?\d+)"\s+=\s"(?\d+)"), but be sure to include the mv_add = true option.

Re: Trying to slip SNMP data on index or through rex

srobinsonxtl — Thu, 30 Nov 2017 21:38:46 GMT

Just to let you know and I took you example, and did the following in less steps: | rex max_match=0 "(?\d+)\"\s+=\s\"(?\d+)" | stats list(id),list(Reading) by _time,host