Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- LINE_BREAKER and field extractions problems with S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LINE_BREAKER and field extractions problems with SNMP Modular Input
I'm using the SNMP modular input and having problems getting it to break into multiple events. I can't seem to get line_breaker to work at all.
Here is a sample of the event data:
IF-MIB::ifInOctets."2" = "2303277645" IF-MIB::ifOutOctets."2" = "2190994307" IF-MIB::ifInOctets."3" = "0" IF-MIB::ifOutOctets."3" = "0" IF-MIB::ifInOctets."4" = "0" IF-MIB::ifOutOctets."4" = "0" IF-MIB::ifInOctets."5" = "0" IF-MIB::ifOutOctets."5" = "0" IF-MIB::ifInOctets."6" = "0" IF-MIB::ifOutOctets."6" = "0" IF-MIB::ifInOctets."7" = "0" IF-MIB::ifOutOctets."7" = "0" IF-MIB::ifInOctets."8" = "0" IF-MIB::ifOutOctets."8" = "0" IF-MIB::ifInOctets."9" = "0" IF-MIB::ifOutOctets."9" = "0" IF-MIB::ifInOctets."10" = "0" IF-MIB::ifOutOctets."10" = "0"
This goes on for awhile and is all on a single line.
My props.conf looks like this:
[ciscosnmp]
DATETIME_CONFIG=CURRENT
LINE_BREAKER=(IF-MIB::if)
NO_BINARY_CHECK=1
SEDCMD-first=s/IF-MIB/\nIF-MIB/g
SHOULD_LINEMERGE=false
TRUNCATE=0
Now, the SEDCMD works appropriately and puts each event on it's own line, but the LINE_BREAKER doesn't do anything. Oddly, if I paste the original event data into a text file and build the same configuration for it, it works fine.
Additionally, I can't figure out how to extract the fields. After my SEDCMD, the data looks like this:
IF-MIB::ifInOctets."2" = "3957423569"
IF-MIB::ifOutOctets."2" = "3763306785"
IF-MIB::ifInOctets."3" = "0"
IF-MIB::ifOutOctets."3" = "0"
IF-MIB::ifInOctets."4" = "0"
IF-MIB::ifOutOctets."4" = "0"
IF-MIB::ifInOctets."5" = "0"
IF-MIB::ifOutOctets."5" = "0"
Basically, Direction."(portnumber)"="bytesoftraffic"
I've tinkered with SEDCMD and can get it to look nicer, but after an entire day of messing with the field extractions, transforms, delims, fields etc. I haven't gotten it to break those lines into fields. Any help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SNMP Mod Input comes with a sourcetype "snmp_ta" defined.
Have a look in snmp_ta/default/props.conf and snmp_ta/default/transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand correctly you require a very customized output , so you are right, responsehandlers.py exists for this purpose.
If you look at responsehandlers.py , there is an example custom response handler called "JSONFormatterResponseHandler" that converts SNMP attribute output into JSON. So you could go off this as a guideline for your custom response handler. You then declare this custom response handler name in your SNMP stanza setup and it will get applied.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That helped with the field extractions, but I still can't get line_breaker to work--is this a limitation of how the modular input is implemented?
Is there any way around it? I can use the "split bulk results" option to divide every entry up, but that poses it's own problem.
It seems like the custom response handler may be what I'm looking for, but I can't find much in the way of examples.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
