I've got an app that I've developed running on a HF that has the following inputs.conf
monitor:///apps/snmp-traps/traps-received.log]
disabled = false
host = hostname
index = my_index
sourcetype = SNMP:raw
Then the props.conf
[SNMP:raw]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TRANSFORMS-snmp_sourcetype = aruba_config_alert, aruba_down_ap, aruba_down_radio, aruba_radio_utilization, aruba_rogue_ap_detected_detail, aruba_rogue_ap_discovered, aruba_up_ap, snmp_aruba_amp, snmp_cisco_prime, snmp_cisco_asa, snmp_solarwinds, snmp_pan, snmp_generic_traps
Then the transforms.conf
#
# Set sourcetype based on trap
#
#
# Aruba AMP Trap 12
#
[aruba_rogue_ap_discovered]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetected
FORMAT = sourcetype::aruba:rogue_ap_discovered
#
# Aruba AMP Trap 13
#
[aruba_down_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downAP
FORMAT = sourcetype::aruba:down_ap
#
# Aruba AMP Trap 15
#
[aruba_up_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upAP
FORMAT = sourcetype::aruba:up_ap
#
# Aruba AMP Trap 16
#
[aruba_down_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downRadio
FORMAT = sourcetype::aruba:down_radio
#
# Aruba AMP Trap 30
#
[aruba_radio_utilization]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::radioUtilization
FORMAT = sourcetype::aruba:radio_utilization
#
# Aruba AMP Trap 32
#
[aruba_rogue_ap_detected_detail]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetectedDetail
FORMAT = sourcetype::aruba:rogue_ap_detected_detail
#
# Aruba AMP Trap 59
#
[aruba_up_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upRadio
FORMAT = sourcetype::aruba:up_radio
#
# Aruba AMP Trap 200
#
[aruba_config_alert]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::configAlert
FORMAT = sourcetype::aruba:config_alert
#### sourcetype routing
[snmp_aruba_amp]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: AWAMP-MIB
FORMAT = sourcetype::aruba:snmp
[snmp_cisco_prime]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: CISCO-WIRELESS-NOTIFICATION-MIB
FORMAT = sourcetype::cisco:prime
[snmp_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = .*SNMPv2-SMI\:\:enterprises\.3076.*
FORMAT = sourcetype::cisco:asa:snmp
[snmp_pan]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: PAN-TRAPS
FORMAT = sourcetype::pan:snmp
[snmp_solarwinds]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapEnterprise.0 = OID\: SOLARWINDS-PRODUCTS
FORMAT = sourcetype::solarwinds:snmp
[snmp_generic_traps]
DEST_KEY = MetaData:Sourcetype
REGEX = .*IF-MIB.*
FORMAT = sourcetype::snmp:generic_traps
The data is getting in and the props is calling the transforms correctly, but instead of seeing aruba:rogue_ap_discovered when a Rogue AP Discovered trap is in the log, instead I see aruba:snmp. I thought I understood this when this was for PAN only it appeared that the transforms get processed in order. Is there something I'm missing?
Splunk 7.3.6
TIA,
Joe
Hi @jwhughes58,
Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.
Hi @jwhughes58,
Yes, the last one wins.
Hi @jwhughes58,
Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.
Hi,
I've read that and thought I had an understanding of list order. So it is the last one that wins and not the first one?
Joe