Howdy folks,
The original idea was to split the [snmptrapd] sourcetype now that multiple hosts were sending traps with different PRIVATE ENTERPRISE NUMBERS. I implemented the following to achieve this in props.conf:
[snmptrapd]
TRANSFORMS-overrideSnmpTrapdSourcetype = set-sourcetype-broadsoft-ems-trap, set-sourcetype-smarts-nms-trap
and transforms.conf
[set-sourcetype-broadsoft-ems-trap]
DEST_KEY = MetaData:Sourcetype
REGEX = enterprises\.2162\.
FORMAT = broadsoft:ems:trap
[set-sourcetype-smarts-nms-trap]
DEST_KEY = MetaData:Sourcetype
REGEX = enterprises\.733\.
FORMAT = smarts:nms:trap
Transform seems to work and the sourcetype is viewable in the fields list with statistics shown, the sourcetype also shows on each event BUT when I search for "sourcetype="smarts:nms:trap"" the search results are empty.
Please help.
You need a sourcetype::
prefix in a FORMAT
used in sourcetype updates.
transforms.conf
[set-sourcetype-broadsoft-ems-trap]
DEST_KEY = MetaData:Sourcetype
REGEX = enterprises\.2162\.
FORMAT = sourcetype::broadsoft:ems:trap
[set-sourcetype-smarts-nms-trap]
DEST_KEY = MetaData:Sourcetype
REGEX = enterprises\.733\.
FORMAT = sourcetype::smarts:nms:trap
You need a sourcetype::
prefix in a FORMAT
used in sourcetype updates.
transforms.conf
[set-sourcetype-broadsoft-ems-trap]
DEST_KEY = MetaData:Sourcetype
REGEX = enterprises\.2162\.
FORMAT = sourcetype::broadsoft:ems:trap
[set-sourcetype-smarts-nms-trap]
DEST_KEY = MetaData:Sourcetype
REGEX = enterprises\.733\.
FORMAT = sourcetype::smarts:nms:trap
Thank you!