Getting Data In

Changing sourcetype name

jwhughes58
Contributor

I've got an app that I've developed running on a HF that has the following inputs.conf

 

monitor:///apps/snmp-traps/traps-received.log]
disabled = false
host = hostname
index = my_index
sourcetype = SNMP:raw

 

 Then the props.conf

 

[SNMP:raw]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TRANSFORMS-snmp_sourcetype = aruba_config_alert, aruba_down_ap, aruba_down_radio, aruba_radio_utilization, aruba_rogue_ap_detected_detail, aruba_rogue_ap_discovered, aruba_up_ap, snmp_aruba_amp, snmp_cisco_prime, snmp_cisco_asa, snmp_solarwinds, snmp_pan, snmp_generic_traps

 

Then the transforms.conf

#
# Set sourcetype based on trap
#

#
# Aruba AMP Trap 12
#
[aruba_rogue_ap_discovered]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetected
FORMAT = sourcetype::aruba:rogue_ap_discovered

#
# Aruba AMP Trap 13
#
[aruba_down_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downAP
FORMAT = sourcetype::aruba:down_ap

#
# Aruba AMP Trap 15
#
[aruba_up_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upAP
FORMAT = sourcetype::aruba:up_ap

#
# Aruba AMP Trap 16
#
[aruba_down_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downRadio
FORMAT = sourcetype::aruba:down_radio

#
# Aruba AMP Trap 30
#
[aruba_radio_utilization]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::radioUtilization
FORMAT = sourcetype::aruba:radio_utilization

#
# Aruba AMP Trap 32
#
[aruba_rogue_ap_detected_detail]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetectedDetail
FORMAT = sourcetype::aruba:rogue_ap_detected_detail

#
# Aruba AMP Trap 59
#
[aruba_up_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upRadio
FORMAT = sourcetype::aruba:up_radio

#
# Aruba AMP Trap 200
#
[aruba_config_alert]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::configAlert
FORMAT = sourcetype::aruba:config_alert

#### sourcetype routing

[snmp_aruba_amp]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: AWAMP-MIB
FORMAT = sourcetype::aruba:snmp

[snmp_cisco_prime]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: CISCO-WIRELESS-NOTIFICATION-MIB
FORMAT = sourcetype::cisco:prime

[snmp_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = .*SNMPv2-SMI\:\:enterprises\.3076.*
FORMAT = sourcetype::cisco:asa:snmp

[snmp_pan]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: PAN-TRAPS
FORMAT = sourcetype::pan:snmp

[snmp_solarwinds]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapEnterprise.0 = OID\: SOLARWINDS-PRODUCTS
FORMAT = sourcetype::solarwinds:snmp

[snmp_generic_traps]
DEST_KEY = MetaData:Sourcetype
REGEX = .*IF-MIB.*
FORMAT = sourcetype::snmp:generic_traps

The data is getting in and the props is calling the transforms correctly, but instead of seeing aruba:rogue_ap_discovered when a Rogue AP Discovered trap is in the log, instead I see aruba:snmp.  I thought I understood this when this was for PAN only it appeared that the transforms get processed in order.  Is there something I'm missing?

Splunk 7.3.6

TIA,

Joe

Labels (3)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @jwhughes58,

Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @jwhughes58,

Yes, the last one wins. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @jwhughes58,

Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

jwhughes58
Contributor

Hi,

I've read that and thought I had an understanding of list order.  So it is the last one that wins and not the first one?

Joe

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...