Splunk Search

How to edit my rex statement to these two fields from my sample SNMP trap data?

New Member

I have an SNMP trap that I'm trying to extract two fields from one string with a comma in the middle, but I'm getting no output from the segment of a field extraction for the comma separated pair of values.

The input includes (from raw_) {1.3.6.1.4.1.1482.20.1.2.1.4.1.5.21914:Board 3, Port 1, TS 0.0.0.0:1235}

So I want to output "Board 3" and "Port 1" in two Fields called Board and Port

When I use

 | rex field=raw_ "1\.3\.6\.1\.4\.1\.1482\.20\.1\.2\.1\.4\.1\.5\.\d+:(?P\w+\d+\s+),(?\w+\d+\s+)}" | table _time, Board, Port

I get nothing for the fields Board or Port in the output. I've no issues with getting a bunch of other fields from this trap, but this one escapes me....

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I try to follow the Keep It Simple maxim in my regex strings. This works in regex101.com

... | rex ":(?<Board>[^,]+), (?<Port>[^,]+)" | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Legend

Try this

... | rex "Board\s+(?<board>\d+),\s+Port\s+(?<port>\d+)" | table _time board port
0 Karma

SplunkTrust
SplunkTrust

I try to follow the Keep It Simple maxim in my regex strings. This works in regex101.com

... | rex ":(?<Board>[^,]+), (?<Port>[^,]+)" | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

Ah, unfortunately, there are a plethora of varbinds in the SNMP trap, with many semicolons. Here's a sample of the full trap

[2016/09/08 10:57:16 MDT] [INFO] (/trapd/client.(*TrapLogger).Info:29) [TRAP]: {ip:69.76.108.44,timestamp:1473353836411,oid:1.3.6.1.4.1.1482.20.1.1.1.1.0.1,varbinds:[{1.3.6.1.4.1.1482.20.1.2.1.4.1.13.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.9.5460:8},{1.3.6.1.4.1.1482.20.1.2.1.4.1.11.5460:},{1.3.6.1.4.1.1482.20.1.2.1.4.1.14.5460:TS=232.34.1.232:34000=;Cause=Service Out Loss (one service)=;},{1.3.6.1.4.1.1482.20.1.2.1.4.1.5.5460:**Board 5, Port 1**, TS 232.34.1.232:34000},{1.3.6.1.4.1.1482.20.1.2.1.4.1.8.5460:1},{1.3.6.1.4.1.1482.20.1.2.1.4.1.10.5460:269},{1.3.6.1.2.1.1.3.0:1041h33m58.73s},{1.3.6.1.4.1.1482.20.1.2.1.4.1.3.5460:DCM},{1.3.6.1.4.1.1482.20.1.2.1.4.1.4.5460:TS Out Loss},{1.3.6.1.4.1.1482.20.1.2.1.4.1.6.5460:2016/09/08 16:57:14},{1.3.6.1.4.1.1482.20.1.2.1.4.1.7.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.12.5460:0},{1.3.6.1.4.1.1482.20.1.2.1.4.1.15.5460:.1.3.6.1.2.1.47.1.1.1.1.1.501},{1.3.6.1.4.1.1482.20.1.2.1.4.1.2.5460:5460}]

I added in the preamble from the varbind I'm after to get to

rex field=raw_ "1\.3\.6\.1\.4\.1\.1482\.20\.1\.2\.1\.4\.1\.5\.[\d]+:(?[^,]+), (?[^,]+)" | table, _time, Board, Port

unfortunately, still did not return anything....

(FWIW, I did also try verbatim the rex ":(?[^,]+), (?[^,]+)" and it failed to return anything either)

S

0 Karma

SplunkTrust
SplunkTrust

It works in my Splunk (6.4.1). Here's a run-anywhere example. Remove the \*\* sequences if you just added the asterisks for emphasis.

|metadata type=sources | head 1 | eval text="[2016/09/08 10:57:16 MDT] [INFO] (/trapd/client.(*TrapLogger).Info:29) [TRAP]: {ip:69.76.108.44,timestamp:1473353836411,oid:1.3.6.1.4.1.1482.20.1.1.1.1.0.1,varbinds:[{1.3.6.1.4.1.1482.20.1.2.1.4.1.13.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.9.5460:8},{1.3.6.1.4.1.1482.20.1.2.1.4.1.11.5460:},{1.3.6.1.4.1.1482.20.1.2.1.4.1.14.5460:TS=232.34.1.232:34000=;Cause=Service Out Loss (one service)=;},{1.3.6.1.4.1.1482.20.1.2.1.4.1.5.5460:**Board 5, Port 1**, TS 232.34.1.232:34000},{1.3.6.1.4.1.1482.20.1.2.1.4.1.8.5460:1},{1.3.6.1.4.1.1482.20.1.2.1.4.1.10.5460:269},{1.3.6.1.2.1.1.3.0:1041h33m58.73s},{1.3.6.1.4.1.1482.20.1.2.1.4.1.3.5460:DCM},{1.3.6.1.4.1.1482.20.1.2.1.4.1.4.5460:TS Out Loss},{1.3.6.1.4.1.1482.20.1.2.1.4.1.6.5460:2016/09/08 16:57:14},{1.3.6.1.4.1.1482.20.1.2.1.4.1.7.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.12.5460:0},{1.3.6.1.4.1.1482.20.1.2.1.4.1.15.5460:.1.3.6.1.2.1.47.1.1.1.1.1.501},{1.3.6.1.4.1.1482.20.1.2.1.4.1.2.5460:5460}]" | rex field=text ":(?<Board>\*\*Board [^,]+), (?<Port>Port[^,]+\*\*)" | table _time Board Port
---
If this reply helps you, an upvote would be appreciated.

New Member

Yep, that got it.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!