Splunk Search

Field extraction from an snmp trap message issue

smithjnick
Path Finder

Having mixed results with this issue?

I have trap messages being written to a txt file which then gets pushed to my indexer via a universal forwarder and I also have line breaks setup in props.conf. The trap message then appears in full as a multi-line event.

This is the line break config for the trap message:

[imsva_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d{2}\/\d{2}\/2\d{3}\s\d{1,2}:\d{2}\s(A|P)M
BREAK_ONLY_BEFORE_DATE = false

Unsure if the above config is best for trap messages but it seems to work.

 Pic of traps as they come into splunk:  imgur.com/RcmA93R)

I then use the IFX tool to extract specific lines from the trap message, however this sometimes works and sometimes breaks?

When it works it successfully extracts the results of 1 line.

 Pic of a working extraction: imgur.com/E0xtHs3

Other times it extracts the line i want but it also extracts the rest of the message so i end up with multiple lines in my extraction.

 Pic of a non working extraction:  imgur.com/EKdUOFm

I have played about with the rex config in props.conf to stop extracting after the end of line but having no joy with this. What rex can i use that basically says 'stop' after the end of line and do not continue with any more extraction.

This is the rex config generated from IFX:

EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)

Cheers for any help.

*apologies for the pics but dont have enough karma points to post inside the question - yeah great eh and i am paying big bucks for splunk support?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)[(\r\n)+]*
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)[(\r\n)+]*
0 Karma

smithjnick
Path Finder

Thanks somesoni2 but im afraid i still have the same results: it appends the rest of the multiline event onto the end of line.

I tried this on a number of transforms from same sourcetype with same results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...