Splunk Search

Field extraction from an snmp trap message issue

Path Finder

Having mixed results with this issue?

I have trap messages being written to a txt file which then gets pushed to my indexer via a universal forwarder and I also have line breaks setup in props.conf. The trap message then appears in full as a multi-line event.

This is the line break config for the trap message:

[imsva_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d{2}\/\d{2}\/2\d{3}\s\d{1,2}:\d{2}\s(A|P)M
BREAK_ONLY_BEFORE_DATE = false

Unsure if the above config is best for trap messages but it seems to work.

 Pic of traps as they come into splunk:  imgur.com/RcmA93R)

I then use the IFX tool to extract specific lines from the trap message, however this sometimes works and sometimes breaks?

When it works it successfully extracts the results of 1 line.

 Pic of a working extraction: imgur.com/E0xtHs3

Other times it extracts the line i want but it also extracts the rest of the message so i end up with multiple lines in my extraction.

 Pic of a non working extraction:  imgur.com/EKdUOFm

I have played about with the rex config in props.conf to stop extracting after the end of line but having no joy with this. What rex can i use that basically says 'stop' after the end of line and do not continue with any more extraction.

This is the rex config generated from IFX:

EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)

Cheers for any help.

*apologies for the pics but dont have enough karma points to post inside the question - yeah great eh and i am paying big bucks for splunk support?

0 Karma

SplunkTrust
SplunkTrust

Give this a try

EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)[(\r\n)+]*
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)[(\r\n)+]*
0 Karma

Path Finder

Thanks somesoni2 but im afraid i still have the same results: it appends the rest of the multiline event onto the end of line.

I tried this on a number of transforms from same sourcetype with same results.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!