Hi all. Having an issue with hostname override for snmp logs. An issue I’m having is i created this props and transforms to get the agent_hostname from the logs to override the host (syslog011) for these snmp trap logs but it doesn’t seem to have worked. Not sure what the mistake is herE.
TRANSFORMS.CONF
[snmptrapd_kv]
DELIMS - "\n," ="
[snmp_hostname_change]
DEST_KEY-MetaData: : Host
REGEX-Agent_Hostname = (•*)
FORMAT-host:: $1
PROPS.CONF
[snmptrapd]
disabled = false
LINE BREAKER = ([\r\n]+) Agent_ Address\s=
MAX TIMESTAMP LOOKAHEAD = 30
NO_BINARY_CHECK - true
SHOULD LINEMERGE = false
TIME
_FORMAT = SY-8m-%d 8H:&M: :S
TIME
_PREFIX = Datels=\s
EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)
REPORT-snmptrapd = snmptrapd_kv
TRANSFORMS-snmp_hostname_change = snmp_hostname_change
Hi @ayomotukoya
Can I check which method you are using to ingest the SNMP data? Is it using Splunk Connect for SNMP? (https://splunk.github.io/splunk-connect-for-snmp/main/) - If so this sends the data to Splunk with HEC so would require a different approach to this problem.
Or is this monitoring local files which are saved to disk from SNMP? If so, is this on a Universal Forwarder (UF) or heavy forwarder (HF)?
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Please use code block or preformatted paragraphs for config snippets. It greatly improves readability.
And your config's syntax is completely off. If that is your actual config, use
splunk btool check
to verify your config. If not, please copy-paste your literal settings.
Hi @ayomotukoya ,
I suppose that the transforms.conf isn't correct:
[snmp_hostname_change]
DEST_KEY = MetaData::Host
REGEX = Agent_Hostname\s*\=\s*(.*)
FORMAT = host::$1
I can be more detailed and sure if you could share a sample of your logs.
Ciao.
Giuseppe