Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Changing sourcetype name
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jwhughes58
Contributor
03-31-2021
09:03 AM
I've got an app that I've developed running on a HF that has the following inputs.conf
monitor:///apps/snmp-traps/traps-received.log]
disabled = false
host = hostname
index = my_index
sourcetype = SNMP:raw
Then the props.conf
[SNMP:raw]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TRANSFORMS-snmp_sourcetype = aruba_config_alert, aruba_down_ap, aruba_down_radio, aruba_radio_utilization, aruba_rogue_ap_detected_detail, aruba_rogue_ap_discovered, aruba_up_ap, snmp_aruba_amp, snmp_cisco_prime, snmp_cisco_asa, snmp_solarwinds, snmp_pan, snmp_generic_traps
Then the transforms.conf
#
# Set sourcetype based on trap
#
#
# Aruba AMP Trap 12
#
[aruba_rogue_ap_discovered]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetected
FORMAT = sourcetype::aruba:rogue_ap_discovered
#
# Aruba AMP Trap 13
#
[aruba_down_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downAP
FORMAT = sourcetype::aruba:down_ap
#
# Aruba AMP Trap 15
#
[aruba_up_ap]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upAP
FORMAT = sourcetype::aruba:up_ap
#
# Aruba AMP Trap 16
#
[aruba_down_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::downRadio
FORMAT = sourcetype::aruba:down_radio
#
# Aruba AMP Trap 30
#
[aruba_radio_utilization]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::radioUtilization
FORMAT = sourcetype::aruba:radio_utilization
#
# Aruba AMP Trap 32
#
[aruba_rogue_ap_detected_detail]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::rogueAPDetectedDetail
FORMAT = sourcetype::aruba:rogue_ap_detected_detail
#
# Aruba AMP Trap 59
#
[aruba_up_radio]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::upRadio
FORMAT = sourcetype::aruba:up_radio
#
# Aruba AMP Trap 200
#
[aruba_config_alert]
DEST_KEY = MetaData:Sourcetype
REGEX = AWAMP-MIB::configAlert
FORMAT = sourcetype::aruba:config_alert
#### sourcetype routing
[snmp_aruba_amp]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: AWAMP-MIB
FORMAT = sourcetype::aruba:snmp
[snmp_cisco_prime]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: CISCO-WIRELESS-NOTIFICATION-MIB
FORMAT = sourcetype::cisco:prime
[snmp_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = .*SNMPv2-SMI\:\:enterprises\.3076.*
FORMAT = sourcetype::cisco:asa:snmp
[snmp_pan]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: PAN-TRAPS
FORMAT = sourcetype::pan:snmp
[snmp_solarwinds]
DEST_KEY = MetaData:Sourcetype
REGEX = SNMPv2-MIB\:\:snmpTrapEnterprise.0 = OID\: SOLARWINDS-PRODUCTS
FORMAT = sourcetype::solarwinds:snmp
[snmp_generic_traps]
DEST_KEY = MetaData:Sourcetype
REGEX = .*IF-MIB.*
FORMAT = sourcetype::snmp:generic_trapsThe data is getting in and the props is calling the transforms correctly, but instead of seeing aruba:rogue_ap_discovered when a Rogue AP Discovered trap is in the log, instead I see aruba:snmp. I thought I understood this when this was for PAN only it appeared that the transforms get processed in order. Is there something I'm missing?
Splunk 7.3.6
TIA,
Joe
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
03-31-2021
12:21 PM
Hi @jwhughes58,
Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.
If this reply helps you an upvote and "Accept as Solution" is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
03-31-2021
12:48 PM
Hi @jwhughes58,
Yes, the last one wins.
If this reply helps you an upvote and "Accept as Solution" is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
03-31-2021
12:21 PM
Hi @jwhughes58,
Splunk applies transforms in the list order. Since both rogue_ap_discovered and snmp_aruba_amp are matching, the last one wins. You should either make REGEX definitions more specific or change the order.
If this reply helps you an upvote and "Accept as Solution" is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jwhughes58
Contributor
03-31-2021
12:27 PM
Hi,
I've read that and thought I had an understanding of list order. So it is the last one that wins and not the first one?
Joe
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Deep insights, no barriers: Splunk Observability Cloud Free Edition
As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...
Monitoring AI Agents with Splunk Observability Cloud
Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...
[Puzzles] Solve, Learn, Repeat: Tiling
This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...
