Greetz,
Man, do I feel stupid tonight, I can't even get this simple task working.
Please can someone help me?
I have like so from a snmpwalk scripted input:
IF-MIB::ifOutNUcastPkts.1 = Counter32: 420714
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 16
props.conf:
[snmp]
TRANSFORMS-snmpwalk = snmpwalk
transforms.conf:
[snmpwalk]
REGEX = (?m)IF-MIB::(.?)\s=\s.?:\s(.*)
FORMAT = $1::$2
I know the regex can be improved.
What am I doing wrong here?
I just want the KV fields extracted!
I keep getting 'Counter32' for the field value.
Thank you.
Sorry, I knew it was something simple, and the above regex was copy and paste broken:
[snmp]
KV_MODE = none
REPORT-snmpwalk = snmpwalk
[snmpwalk]
REGEX = IF-MIB::(\w+\.\d+)\s=\s\w+:\s(.*?)$
FORMAT = $1::$2
CLEAN_KEYS = 1
MV_ADD = 0
disabled = 0
Sorry, I knew it was something simple, and the above regex was copy and paste broken:
[snmp]
KV_MODE = none
REPORT-snmpwalk = snmpwalk
[snmpwalk]
REGEX = IF-MIB::(\w+\.\d+)\s=\s\w+:\s(.*?)$
FORMAT = $1::$2
CLEAN_KEYS = 1
MV_ADD = 0
disabled = 0
If you're not terribly worried about what the raw data looks like once it's within Splunk, you could easily use the interface table that SNMP provides. (You're really not worried about the raw data, right? 🙂
Splunk's "multikv" command easily breaks down the resulting SNMP table into searchable fields and values. And since you're SNMP walking, you might as well use snmptable since it's really just a more efficient way to walk.
Here's my one-line scripted input (stored in a bash script):
snmptable -v2c -c public 192.168.10.1 if
The resulting table is dropped directly into my Splunk index (every 10 minutes) and that's really all there is to it. From there I simply pipe my search to the multikv command and Splunk automatically discovers the key/value pairs and extracts them both for me:
sourcetype=snmpwalk index=snmp | multikv
I noticed that not all events were being extracted too... but thank you for giving me ideas, a different angle.
Actually, I didn't notice the problem until you mentioned it. Then, it was obvious. My first thoughts are to manually search based on the interface you're curious about. That can be done with the "ifIndex" field that multikv extracts automatically. Unfortunately, it seems that the "ifDescr" field isn't being extracted in my Splunk instance. That would really be a better field to use because it persists over time, while ifIndex can change. (SNMP interface index numbers change on occasion.)
sourcetype=snmpwalk index=temp | multikv | search ifIndex="2"
Wow! Thank you, I tried this and it works. But stupid me I see only one field for ifInOctets and ifOutOctets. How do I get the octets per interface?
Yes, you are getting the default key/value pairs because of the '='. Try this regex in place of yours:
IF-MIB::(.+)\s=\s\w+:\s(\d+)$
Although you have a field name of Counter32, are you also seeing field names with this format? "ifOutDiscards.2"