Getting Data In
Highlighted

Snmpwalk KV Field Extraction

Communicator

Greetz,

Man, do I feel stupid tonight, I can't even get this simple task working.
Please can someone help me?

I have like so from a snmpwalk scripted input:

IF-MIB::ifOutNUcastPkts.1 = Counter32: 420714
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 16

props.conf:
[snmp]
TRANSFORMS-snmpwalk = snmpwalk

transforms.conf:
[snmpwalk]
REGEX = (?m)IF-MIB::(.?)\s=\s.?:\s(.*)
FORMAT = $1::$2

I know the regex can be improved.

What am I doing wrong here?
I just want the KV fields extracted!
I keep getting 'Counter32' for the field value.

Thank you.

0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Splunk Employee
Splunk Employee

Yes, you are getting the default key/value pairs because of the '='. Try this regex in place of yours:

IF-MIB::(.+)\s=\s\w+:\s(\d+)$
0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Splunk Employee
Splunk Employee

Although you have a field name of Counter32, are you also seeing field names with this format? "ifOutDiscards.2"

0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Splunk Employee
Splunk Employee

If you're not terribly worried about what the raw data looks like once it's within Splunk, you could easily use the interface table that SNMP provides. (You're really not worried about the raw data, right? 🙂

Splunk's "multikv" command easily breaks down the resulting SNMP table into searchable fields and values. And since you're SNMP walking, you might as well use snmptable since it's really just a more efficient way to walk.

Here's my one-line scripted input (stored in a bash script):

snmptable -v2c -c public 192.168.10.1 if

The resulting table is dropped directly into my Splunk index (every 10 minutes) and that's really all there is to it. From there I simply pipe my search to the multikv command and Splunk automatically discovers the key/value pairs and extracts them both for me:

sourcetype=snmpwalk index=snmp | multikv

0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Communicator

Wow! Thank you, I tried this and it works. But stupid me I see only one field for ifInOctets and ifOutOctets. How do I get the octets per interface?

0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Splunk Employee
Splunk Employee

Actually, I didn't notice the problem until you mentioned it. Then, it was obvious. My first thoughts are to manually search based on the interface you're curious about. That can be done with the "ifIndex" field that multikv extracts automatically. Unfortunately, it seems that the "ifDescr" field isn't being extracted in my Splunk instance. That would really be a better field to use because it persists over time, while ifIndex can change. (SNMP interface index numbers change on occasion.)

sourcetype=snmpwalk index=temp | multikv | search ifIndex="2"

0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Communicator

I noticed that not all events were being extracted too... but thank you for giving me ideas, a different angle.

0 Karma
Highlighted

Re: Snmpwalk KV Field Extraction

Communicator

Sorry, I knew it was something simple, and the above regex was copy and paste broken:

[snmp]
KV_MODE = none
REPORT-snmpwalk = snmpwalk

[snmpwalk]
REGEX = IF-MIB::(\w+\.\d+)\s=\s\w+:\s(.*?)$
FORMAT = $1::$2
CLEANKEYS = 1
MV
ADD = 0
disabled = 0

View solution in original post

0 Karma