I may be going at this in the completely wrong way, but I'm looking at extracting information from traps sent by a system, and then using them to generate reports.
So I have this trap:
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.122.214.171.124.3 SNMPv2-SMI::enterprises.1126.96.36.199.10.4 = INTEGER: 6 SNMPv2-SMI::enterprises.1188.8.131.52.10.5 = STRING: "neptune"
The system is picking up the fields ok, like "SNMPv2-SMI::enterprises.1184.108.40.206.10.5", but then its content is "STRING: \"neptune\"".
I'm looking at removing the word "STRING: ", both quotes (""), and just keeping the rest (neptune), preferably somehow placing that into a field named "planet".
My report will then look at displaying how many times each planet was observed, sort of thing.
Is this possible? Does this reasoning make any sense? I was thinking about using rex for this, but I must be way off the mark because nothing seems to work for me...
I was trying: | rex field=_raw "STRING: \"(?
Getting rid of the quotes makes it a little messy, at least if you want to allow for the possibility of spaces within the quoted string.
Here's one way:
#transforms.conf [snmp-fields] REGEX = \s(\S+)\s*=\s*\w+: (")?((?<=")[^"]+|(\S+)) FORMAT = $1::$3 #props.conf [snmp] KV_MODE = none REPORT-snmp = snmp-fields
The trick is to consume the opening quotation mark first so that it isn't part of the capture group (i.e., the extracted field).
Then, within the capture group, use negative lookbehind to determine whether you're matching inside a quoted section (match up to the end-quote), or just matching a block of non-whitespace.
Another way would be to create two separate transforms -- one for quoted string values and one for integer and other non-string types.