I have trap data coming onto my Splunk Server ... the data looks like this
1.3.6.1.4.1.3279.1.1.8.1.35.2 = ObjectSyntax: simple=SimpleSyntax: string=application_name
my key is "1.3.6.1.4.1.3279.1.1.8.1.35.2" and my value is at the end "application_name"
can some one help me with the search query here.
Assumption: Every event has the same data between the OID and the application_name.
Use a transform. Perhaps something like this (based on an answers entry😞
In props.conf do:
[yoursourcetypehere]
REPORT-myoidextract = getmyoiddata
Then in transforms.conf do:
[getmyoiddata]
REGEX = (?.*)\s=\sObjectSyntax:\ssimple=SimpleSyntax:\s+string=(?.*)
FORMAT = $1::$2
See if that works (or muss with it some if it's not exact).
Assumption: Every event has the same data between the OID and the application_name.
Use a transform. Perhaps something like this (based on an answers entry😞
In props.conf do:
[yoursourcetypehere]
REPORT-myoidextract = getmyoiddata
Then in transforms.conf do:
[getmyoiddata]
REGEX = (?.*)\s=\sObjectSyntax:\ssimple=SimpleSyntax:\s+string=(?.*)
FORMAT = $1::$2
See if that works (or muss with it some if it's not exact).
This did my job
REGEX = \s1.3.6.1.4.1.3279.1.1.8.1.35.2\s=\sObjectSyntax:\s+simple=SimpleSyntax:\s+string=(?
... but had to also mention the below part ... since it was writing the rest of the message also to the above one.
\s+\s+\s1.3.6.1.4.1.3279.1.1.8.1.35.3\s=\sObjectSyntax:\s+simple=SimpleSyntax:\s+string=(?
Thanks Mr. JTrucks.
I am trying to create custom key-value pairs ... my key is "1.3.6.1.4.1.3279.1.1.8.1.35.2" and my value is at the end "application_name".
What are you searching for exactly?