Solved: Snmpwalk KV Field Extraction

ephemeric · ‎01-29-2013

Greetz,

Man, do I feel stupid tonight, I can't even get this simple task working.
Please can someone help me?

I have like so from a snmpwalk scripted input:

IF-MIB::ifOutNUcastPkts.1 = Counter32: 420714
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 16

props.conf:
[snmp]
TRANSFORMS-snmpwalk = snmpwalk

transforms.conf:
[snmpwalk]
REGEX = (?m)IF-MIB::(.?)\s=\s.?:\s(.*)
FORMAT = $1::$2

I know the regex can be improved.

What am I doing wrong here?
I just want the KV fields extracted!
I keep getting 'Counter32' for the field value.

Thank you.

ephemeric · ‎01-30-2013

Sorry, I knew it was something simple, and the above regex was copy and paste broken:

[snmp]
KV_MODE = none
REPORT-snmpwalk = snmpwalk

[snmpwalk]
REGEX = IF-MIB::(\w+\.\d+)\s=\s\w+:\s(.*?)$
FORMAT = $1::$2
CLEAN_KEYS = 1
MV_ADD = 0
disabled = 0

View solution in original post

ephemeric · ‎01-30-2013

Sorry, I knew it was something simple, and the above regex was copy and paste broken:

[snmp]
KV_MODE = none
REPORT-snmpwalk = snmpwalk

[snmpwalk]
REGEX = IF-MIB::(\w+\.\d+)\s=\s\w+:\s(.*?)$
FORMAT = $1::$2
CLEAN_KEYS = 1
MV_ADD = 0
disabled = 0

sspencer_splunk · ‎01-30-2013

If you're not terribly worried about what the raw data looks like once it's within Splunk, you could easily use the interface table that SNMP provides. (You're really not worried about the raw data, right? 🙂

Splunk's "multikv" command easily breaks down the resulting SNMP table into searchable fields and values. And since you're SNMP walking, you might as well use snmptable since it's really just a more efficient way to walk.

Here's my one-line scripted input (stored in a bash script):

snmptable -v2c -c public 192.168.10.1 if

The resulting table is dropped directly into my Splunk index (every 10 minutes) and that's really all there is to it. From there I simply pipe my search to the multikv command and Splunk automatically discovers the key/value pairs and extracts them both for me:

sourcetype=snmpwalk index=snmp | multikv

ephemeric · ‎01-31-2013

I noticed that not all events were being extracted too... but thank you for giving me ideas, a different angle.

sspencer_splunk · ‎01-30-2013

Actually, I didn't notice the problem until you mentioned it. Then, it was obvious. My first thoughts are to manually search based on the interface you're curious about. That can be done with the "ifIndex" field that multikv extracts automatically. Unfortunately, it seems that the "ifDescr" field isn't being extracted in my Splunk instance. That would really be a better field to use because it persists over time, while ifIndex can change. (SNMP interface index numbers change on occasion.)

sourcetype=snmpwalk index=temp | multikv | search ifIndex="2"

ephemeric · ‎01-30-2013

Wow! Thank you, I tried this and it works. But stupid me I see only one field for ifInOctets and ifOutOctets. How do I get the octets per interface?

sbrant_splunk · ‎01-29-2013

Yes, you are getting the default key/value pairs because of the '='. Try this regex in place of yours:

IF-MIB::(.+)\s=\s\w+:\s(\d+)$

sbrant_splunk · ‎01-29-2013

Although you have a field name of Counter32, are you also seeing field names with this format? "ifOutDiscards.2"

Snmpwalk KV Field Extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life