- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- SNMP Data Events, need help matching indexed value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNMP Data Events, need help matching indexed values with regex
I am using the SNMP Modular Input package found here: https://splunkbase.splunk.com/app/1537/
My Splunk events appear as the following:
MYMIB::errorCounter."0" = "10" MYMIB::errorCounter."1" = "12" MYMIB::errorCounter."2" = "13" MYMIB::errorCounter."3" = "17" MYMIB::elementID."0" = "compid1" MYMIB::elementID."1" = "amescomp2" MYMIB::elementID."2" = "othercompid" MYMIB::elementID."3" = "hi"
sourcetype = snmp_ta
I am trying to match each errorCounter and elementID with the same index, denoted by ."". I want to create a time chart that will show the change in errorCount for each unique elementID over time. Currently, both the fields and indexes are not being recognized by Splunk. I tried using the REX command to extract data but I am having a hard time finding a solution that will work when I add another 100+ indexes of data per event. Any help would be appreciated thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try below query
<yourBasesearch>
| rex "::(?<a>\w+)\.\"(?<b>\d+)\"\s\=\s\"(?<c>\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval f=mvindex(split(e,","),0), h=mvindex(split(e,","),2)
| eval {f}=h
| stats list(elementID) as elementID, list(errorCounter) as errorCounter by _time
| eval i = mvzip(elementID,errorCounter)
| mvexpand i
| eval elementID=mvindex(split(i,","),0), errorCounter=mvindex(split(i,","),1)
| timechart avg(errorCounter) by elementID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for your response! It helped out a lot. I was able to adjust the query slightly to get just about what I wanted. Unfortunately, in the xyseries portion of my query below "| xyseries _time indexes myerrorCount" I would like to replace indexes with myelementID but when I do so my visualization stops appearing. Is there something that I'm missing?
sourcetype="snmp_ta"
| rex "::(?\w+).\"(?\d+)\"\s=\s\"(?\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval m=mvfilter(match(e, ".errorCount."))
| eval n=mvfilter(match(e, ".elementID."))
| eval indexes=mvindex(split(m,","),1), myerrorCount=mvindex(split(m,","),2), myelementID=mvindex(split(n,","),2)
| xyseries _time indexes myerrorCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like with your query , values existed on all three columns (_time, indexes and myerrorCount for | xyseries _time indexes myerrorCount and that's why it is displaying data, however when you try to run | xyseries _time indexes myelementID that does not have values in indexes where elemetnID value is present and due to that it is not generating any output.
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
