Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help me Split this SNMP Table result into a nice t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help me Split this SNMP Table result into a nice table view!
seanel
Path Finder
03-15-2015
06:07 AM
So here is a sample event:
Sun Mar 15 12:59:52 UTC 2015 dpStatusEthernetInterfaceStatusName.eth0 = eth0 dpStatusEthernetInterfaceStatusName.eth1 = eth1 dpStatusEthernetInterfaceStatusName.eth2 = eth2 dpStatusEthernetInterfaceStatusName.eth3 = eth3 dpStatusEthernetInterfaceStatusIP.eth0 = 10.230.3.29/0.0.0.0 dpStatusEthernetInterfaceStatusIP.eth1 = 0.0.0.0/0.0.0.0 dpStatusEthernetInterfaceStatusIP.eth2 = 0.0.0.0/0.0.0.0 dpStatusEthernetInterfaceStatusIP.eth3 = 0.0.0.0/0.0.0.0 dpStatusEthernetInterfaceStatusMACAddress.eth0 = 0:50:56:82:6d:de dpStatusEthernetInterfaceStatusMACAddress.eth1 = 0:50:56:82:1b:0 dpStatusEthernetInterfaceStatusMACAddress.eth2 = 0:50:56:82:62:25 dpStatusEthernetInterfaceStatusMACAddress.eth3 = 0:50:56:82:1c:8b dpStatusEthernetInterfaceStatusStatus.eth0 = ok dpStatusEthernetInterfaceStatusStatus.eth1 = no-link dpStatusEthernetInterfaceStatusStatus.eth2 = no-link dpStatusEthernetInterfaceStatusStatus.eth3 = no-link dpStatusEthernetInterfaceStatusNegotiate.eth0 = no dpStatusEthernetInterfaceStatusNegotiate.eth1 = no dpStatusEthernetInterfaceStatusNegotiate.eth2 = no dpStatusEthernetInterfaceStatusNegotiate.eth3 = no dpStatusEthernetInterfaceStatusMode.eth0 = none dpStatusEthernetInterfaceStatusMode.eth1 = none dpStatusEthernetInterfaceStatusMode.eth2 = none dpStatusEthernetInterfaceStatusMode.eth3 = none dpStatusEthernetInterfaceStatusMTU.eth0 = 1500 dpStatusEthernetInterfaceStatusMTU.eth1 = 1500 dpStatusEthernetInterfaceStatusMTU.eth2 = 1500 dpStatusEthernetInterfaceStatusMTU.eth3 = 1500 dpStatusEthernetInterfaceStatusRxHCBytes.eth0 = 49403590948 dpStatusEthernetInterfaceStatusRxHCBytes.eth1 = 0 dpStatusEthernetInterfaceStatusRxHCBytes.eth2 = 0 dpStatusEthernetInterfaceStatusRxHCBytes.eth3 = 0 dpStatusEthernetInterfaceStatusRxHCPackets.eth0 = 82008787 dpStatusEthernetInterfaceStatusRxHCPackets.eth1 = 0 dpStatusEthernetInterfaceStatusRxHCPackets.eth2 = 0 dpStatusEthernetInterfaceStatusRxHCPackets.eth3 = 0 dpStatusEthernetInterfaceStatusRxErrors2.eth0 = 0 dpStatusEthernetInterfaceStatusRxErrors2.eth1 = 0 dpStatusEthernetInterfaceStatusRxErrors2.eth2 = 0 dpStatusEthernetInterfaceStatusRxErrors2.eth3 = 0 dpStatusEthernetInterfaceStatusRxDrops2.eth0 = 0 dpStatusEthernetInterfaceStatusRxDrops2.eth1 = 0 dpStatusEthernetInterfaceStatusRxDrops2.eth2 = 0 dpStatusEthernetInterfaceStatusRxDrops2.eth3 = 0 dpStatusEthernetInterfaceStatusTxHCBytes.eth0 = 90111125177 dpStatusEthernetInterfaceStatusTxHCBytes.eth1 = 0 dpStatusEthernetInterfaceStatusTxHCBytes.eth2 = 0 dpStatusEthernetInterfaceStatusTxHCBytes.eth3 = 0 dpStatusEthernetInterfaceStatusTxHCPackets.eth0 = 69374750 dpStatusEthernetInterfaceStatusTxHCPackets.eth1 = 0 dpStatusEthernetInterfaceStatusTxHCPackets.eth2 = 0 dpStatusEthernetInterfaceStatusTxHCPackets.eth3 = 0 dpStatusEthernetInterfaceStatusTxErrors2.eth0 = 0 dpStatusEthernetInterfaceStatusTxErrors2.eth1 = 0 dpStatusEthernetInterfaceStatusTxErrors2.eth2 = 0 dpStatusEthernetInterfaceStatusTxErrors2.eth3 = 0 dpStatusEthernetInterfaceStatusTxDrops2.eth0 = 0 dpStatusEthernetInterfaceStatusTxDrops2.eth1 = 0 dpStatusEthernetInterfaceStatusTxDrops2.eth2 = 0 dpStatusEthernetInterfaceStatusTxDrops2.eth3 = 0 dpStatusEthernetInterfaceStatusCollisions2.eth0 = 0 dpStatusEthernetInterfaceStatusCollisions2.eth1 = 0 dpStatusEthernetInterfaceStatusCollisions2.eth2 = 0 dpStatusEthernetInterfaceStatusCollisions2.eth3 = 0 dpStatusEthernetInterfaceStatusFlowControlNegotiation.eth0 = unknown dpStatusEthernetInterfaceStatusFlowControlNegotiation.eth1 = unknown dpStatusEthernetInterfaceStatusFlowControlNegotiation.eth2 = unknown dpStatusEthernetInterfaceStatusFlowControlNegotiation.eth3 = unknown dpStatusEthernetInterfaceStatusFlowControlStatus.eth0 = unknown dpStatusEthernetInterfaceStatusFlowControlStatus.eth1 = unknown dpStatusEthernetInterfaceStatusFlowControlStatus.eth2 = unknown dpStatusEthernetInterfaceStatusFlowControlStatus.eth3 = unknown
As you can see its a walk of the ethernet interface table. I cant for the life of me make it into a nice tabled result by interface. Ive looked into rename, join, append and all kinds of stuff and just cant get anything other that a row with all interfaces in repeated fields, or a single row with just one inteface.
The main issue is the face that the field names for Name, IP etc are not the same as they have the interface name appended to the end of each field. I have tried renaming each to Name, IP, etc but then just end up with the last row in the results.
What I am looking for is something like
Name IP Status RxBytes TxBytes
eth0 1.2.3.4 OK 6666 7777
eth1 0.0.0.0 no-link 0 0
eth2 0.0.0.0 no-link 0 0
eth3 0.0.0.0 no-link 0 0
I am isolating the latest event (interval is 30 secs) using the following:
index=someindex source=snmp host="server.domain.com" earliest=-1m | head 1
Then I have been using something like the following to get a single one of the interfaces into a table
| stats max(dpStatusEthernetInterfaceStatusName_eth0) AS Name max(dpStatusEthernetInterfaceStatusIP_eth0) AS IP max(dpStatusEthernetInterfaceStatusStatus_eth0) AS Status max(dpStatusEthernetInterfaceStatusRxHCBytes_eth0) AS Rx_Bytes max(dpStatusEthernetInterfaceStatusRxHCPackets_eth0) AS Rx_Packets max(dpStatusEthernetInterfaceStatusRxErrors2_eth0) AS Rx_Errors max(dpStatusEthernetInterfaceStatusRxDrops2_eth0) AS Rx_Drops max(dpStatusEthernetInterfaceStatusTxHCBytes_eth0) AS Tx_Bytes max(dpStatusEthernetInterfaceStatusTxHCPackets_eth0) AS Tx_Packets max(dpStatusEthernetInterfaceStatusTxErrors2_eth0) AS Tx_Errors max(dpStatusEthernetInterfaceStatusTxDrops2_eth0) AS TX_Drops max(dpStatusEthernetInterfaceStatusCollisions2_eth0) AS Collisions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seanel
Path Finder
03-15-2015
07:00 AM
haha - as usual i figure it out few minutes after reaching the desperation point of posting in a forum:
index=someindex source=snmp host="server.domain.com" earliest=-1m | head 1 |stats max(dpStatusEthernetInterfaceStatusName_eth0) AS Name max(dpStatusEthernetInterfaceStatusIP_eth0) AS IP max(dpStatusEthernetInterfaceStatusStatus_eth0) AS Status max(dpStatusEthernetInterfaceStatusRxHCBytes_eth0) AS Rx_Bytes | append [|search index=someindex source=snmp host="server.domain.com" earliest=-1m | head 1 |stats max(dpStatusEthernetInterfaceStatusName_eth1) AS Name max(dpStatusEthernetInterfaceStatusIP_eth1) AS IP max(dpStatusEthernetInterfaceStatusStatus_eth1) AS Status max(dpStatusEthernetInterfaceStatusRxHCBytes_eth1) AS Rx_Bytes]
However, its obviously innefficient as I will need to run the search 4 times to get the same event (there are in fact 4 interfaces) and will be getting a totoal of 12 fields for each.
Surely there is a more efficient way?
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
