Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Changing sourcetype name
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jwhughes58
Contributor
03-31-2021
09:03 AM
I've got an app that I've developed running on a HF that has the following inputs.conf
monitor:///apps/snmp-traps/traps-received.log]
disabled = false
host = hostname
index = my_index
sourcetype = SNMP:raw
Then the props.conf
[SNMP:raw]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TRANSFORMS-snmp_sourcetype = aruba_config_alert, aruba_down_ap, aruba_down_radio, aruba_radio_utilization, aruba_rogue_ap_detected_detail, aruba_rogue_ap_discovered, aruba_up_ap, snmp_aruba_amp, snmp_cisco_prime, snmp_cisco_asa, snmp_solarwinds, snmp_pan, snmp_generic_traps
Then the transforms.conf
#
# Set sourcetype based on trap
#
#
# Aruba AMP Trap 12
#
[aruba_rogue_ap_discovered]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetected
FORMAT = sourcetype::aruba:rogue_ap_discovered
#
# Aruba AMP Trap 13
#
[aruba_down_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downAP
FORMAT = sourcetype::aruba:down_ap
#
# Aruba AMP Trap 15
#
[aruba_up_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upAP
FORMAT = sourcetype::aruba:up_ap
#
# Aruba AMP Trap 16
#
[aruba_down_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downRadio
FORMAT = sourcetype::aruba:down_radio
#
# Aruba AMP Trap 30
#
[aruba_radio_utilization]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::radioUtilization
FORMAT = sourcetype::aruba:radio_utilization
#
# Aruba AMP Trap 32
#
[aruba_rogue_ap_detected_detail]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetectedDetail
FORMAT = sourcetype::aruba:rogue_ap_detected_detail
#
# Aruba AMP Trap 59
#
[aruba_up_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upRadio
FORMAT = sourcetype::aruba:up_radio
#
# Aruba AMP Trap 200
#
[aruba_config_alert]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::configAlert
FORMAT = sourcetype::aruba:config_alert
#### sourcetype routing
[snmp_aruba_amp]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: AWAMP-MIB
FORMAT = sourcetype::aruba:snmp
[snmp_cisco_prime]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: CISCO-WIRELESS-NOTIFICATION-MIB
FORMAT = sourcetype::cisco:prime
[snmp_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = .*SNMPv2-SMI\:\:enterprises\.3076.*
FORMAT = sourcetype::cisco:asa:snmp
[snmp_pan]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: PAN-TRAPS
FORMAT = sourcetype::pan:snmp
[snmp_solarwinds]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapEnterprise.0 = OID\: SOLARWINDS-PRODUCTS
FORMAT = sourcetype::solarwinds:snmp
[snmp_generic_traps]
DEST_KEY = MetaData:Sourcetype
REGEX = .*IF-MIB.*
FORMAT = sourcetype::snmp:generic_trapsThe data is getting in and the props is calling the transforms correctly, but instead of seeing aruba:rogue_ap_discovered when a Rogue AP Discovered trap is in the log, instead I see aruba:snmp. I thought I understood this when this was for PAN only it appeared that the transforms get processed in order. Is there something I'm missing?
Splunk 7.3.6
TIA,
Joe
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
03-31-2021
12:21 PM
Hi @jwhughes58,
Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.
If this reply helps you an upvote and "Accept as Solution" is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
03-31-2021
12:48 PM
Hi @jwhughes58,
Yes, the last one wins.
If this reply helps you an upvote and "Accept as Solution" is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
03-31-2021
12:21 PM
Hi @jwhughes58,
Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.
If this reply helps you an upvote and "Accept as Solution" is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jwhughes58
Contributor
03-31-2021
12:27 PM
Hi,
I've read that and thought I had an understanding of list order. So it is the last one that wins and not the first one?
Joe
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
