Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Creating fields from trap
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I may be going at this in the completely wrong way, but I'm looking at extracting information from traps sent by a system, and then using them to generate reports.
So I have this trap:
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.1230.2.7.4.3 SNMPv2-SMI::enterprises.1230.2.7.4.10.4 = INTEGER: 6 SNMPv2-SMI::enterprises.1230.2.7.4.10.5 = STRING: "neptune"
The system is picking up the fields ok, like "SNMPv2-SMI::enterprises.1230.2.7.4.10.5", but then its content is "STRING: \"neptune\"".
I'm looking at removing the word "STRING: ", both quotes (""), and just keeping the rest (neptune), preferably somehow placing that into a field named "planet".
My report will then look at displaying how many times each planet was observed, sort of thing.
Is this possible? Does this reasoning make any sense? I was thinking about using rex for this, but I must be way off the mark because nothing seems to work for me...
I was trying: | rex field=_raw "STRING: \"(?
Help, please?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this should work ** (change to your sourcetype)
sourcetype="?????" | head 100 | rex "(?im)STRING:\s\\"(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the trapserver is net-snmp, you can use -OQ option to remove the type (STRINGS in this case).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting rid of the quotes makes it a little messy, at least if you want to allow for the possibility of spaces within the quoted string.
Here's one way:
#transforms.conf
[snmp-fields]
REGEX = \s(\S+)\s*=\s*\w+: (")?((?<=")[^"]+|(\S+))
FORMAT = $1::$3
#props.conf
[snmp]
KV_MODE = none
REPORT-snmp = snmp-fields
The trick is to consume the opening quotation mark first so that it isn't part of the capture group (i.e., the extracted field).
Then, within the capture group, use negative lookbehind to determine whether you're matching inside a quoted section (match up to the end-quote), or just matching a block of non-whitespace.
Another way would be to create two separate transforms -- one for quoted string values and one for integer and other non-string types.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess you're giving me something extra to read about. Thank you for that. I'll try to make something out of it, and see how I could use it. Again, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this should work ** (change to your sourcetype)
sourcetype="?????" | head 100 | rex "(?im)STRING:\s\\"(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I guess I'm more of a beginner than I thought. The key was in specifying the sourcetype; I was just casting the | rex... on its own. 😉
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
