Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- SNMP Data Events, need help matching indexed value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNMP Data Events, need help matching indexed values with regex
I am using the SNMP Modular Input package found here: https://splunkbase.splunk.com/app/1537/
My Splunk events appear as the following:
MYMIB::errorCounter."0" = "10" MYMIB::errorCounter."1" = "12" MYMIB::errorCounter."2" = "13" MYMIB::errorCounter."3" = "17" MYMIB::elementID."0" = "compid1" MYMIB::elementID."1" = "amescomp2" MYMIB::elementID."2" = "othercompid" MYMIB::elementID."3" = "hi"
sourcetype = snmp_ta
I am trying to match each errorCounter and elementID with the same index, denoted by ."". I want to create a time chart that will show the change in errorCount for each unique elementID over time. Currently, both the fields and indexes are not being recognized by Splunk. I tried using the REX command to extract data but I am having a hard time finding a solution that will work when I add another 100+ indexes of data per event. Any help would be appreciated thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try below query
<yourBasesearch>
| rex "::(?<a>\w+)\.\"(?<b>\d+)\"\s\=\s\"(?<c>\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval f=mvindex(split(e,","),0), h=mvindex(split(e,","),2)
| eval {f}=h
| stats list(elementID) as elementID, list(errorCounter) as errorCounter by _time
| eval i = mvzip(elementID,errorCounter)
| mvexpand i
| eval elementID=mvindex(split(i,","),0), errorCounter=mvindex(split(i,","),1)
| timechart avg(errorCounter) by elementID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for your response! It helped out a lot. I was able to adjust the query slightly to get just about what I wanted. Unfortunately, in the xyseries portion of my query below "| xyseries _time indexes myerrorCount" I would like to replace indexes with myelementID but when I do so my visualization stops appearing. Is there something that I'm missing?
sourcetype="snmp_ta"
| rex "::(?\w+).\"(?\d+)\"\s=\s\"(?\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval m=mvfilter(match(e, ".errorCount."))
| eval n=mvfilter(match(e, ".elementID."))
| eval indexes=mvindex(split(m,","),1), myerrorCount=mvindex(split(m,","),2), myelementID=mvindex(split(n,","),2)
| xyseries _time indexes myerrorCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like with your query , values existed on all three columns (_time, indexes and myerrorCount for | xyseries _time indexes myerrorCount and that's why it is displaying data, however when you try to run | xyseries _time indexes myelementID that does not have values in indexes where elemetnID value is present and due to that it is not generating any output.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
