Splunk Search

Field extraction from an snmp trap message issue

Path Finder

Having mixed results with this issue?

I have trap messages being written to a txt file which then gets pushed to my indexer via a universal forwarder and I also have line breaks setup in props.conf. The trap message then appears in full as a multi-line event.

This is the line break config for the trap message:

BREAK_ONLY_BEFORE = ^\d{2}\/\d{2}\/2\d{3}\s\d{1,2}:\d{2}\s(A|P)M

Unsure if the above config is best for trap messages but it seems to work.

 Pic of traps as they come into splunk:  imgur.com/RcmA93R)

I then use the IFX tool to extract specific lines from the trap message, however this sometimes works and sometimes breaks?

When it works it successfully extracts the results of 1 line.

 Pic of a working extraction: imgur.com/E0xtHs3

Other times it extracts the line i want but it also extracts the rest of the message so i end up with multiple lines in my extraction.

 Pic of a non working extraction:  imgur.com/EKdUOFm

I have played about with the rex config in props.conf to stop extracting after the end of line but having no joy with this. What rex can i use that basically says 'stop' after the end of line and do not continue with any more extraction.

This is the rex config generated from IFX:

EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)

Cheers for any help.

*apologies for the pics but dont have enough karma points to post inside the question - yeah great eh and i am paying big bucks for splunk support?

0 Karma


Give this a try

EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)[(\r\n)+]*
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)[(\r\n)+]*
0 Karma

Path Finder

Thanks somesoni2 but im afraid i still have the same results: it appends the rest of the multiline event onto the end of line.

I tried this on a number of transforms from same sourcetype with same results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...