Splunk Search

Manipulating SNMP Data: how to correlate fields

guimilare
Communicator

Hello Splunkers.

I'm indexing some SNMP data from a server.
Here is one event indexed:

HOST-RESOURCES-MIB::hrStorageDescr."31" = "/" 
HOST-RESOURCES-MIB::hrStorageDescr."35" = "/tmp" 
HOST-RESOURCES-MIB::hrStorageDescr."36" = "/home" 
HOST-RESOURCES-MIB::hrStorageDescr."37" = "/usr" 
HOST-RESOURCES-MIB::hrStorageDescr."38" = "/usr/local" 
HOST-RESOURCES-MIB::hrStorageDescr."39" = "/var" 
HOST-RESOURCES-MIB::hrStorageDescr."40" = "/var/log" 
HOST-RESOURCES-MIB::hrStorageDescr."41" = "/opt" 
HOST-RESOURCES-MIB::hrStorageDescr."42" = "/opt/nds/data" 
HOST-RESOURCES-MIB::hrStorageDescr."43" = "/var/log/nds" 
HOST-RESOURCES-MIB::hrStorageDescr."44" = "/var/log/splunk" 
HOST-RESOURCES-MIB::hrStorageDescr."45" = "/boot"
HOST-RESOURCES-MIB::hrStorageSize."1" = "132061388" 
HOST-RESOURCES-MIB::hrStorageSize."3" = "168263816" 
HOST-RESOURCES-MIB::hrStorageSize."6" = "132061388" 
HOST-RESOURCES-MIB::hrStorageSize."7" = "94129872" 
HOST-RESOURCES-MIB::hrStorageSize."10" = "36202428" 
HOST-RESOURCES-MIB::hrStorageSize."31" = "1015393" 
HOST-RESOURCES-MIB::hrStorageSize."35" = "1015385" 
HOST-RESOURCES-MIB::hrStorageSize."36" = "1523090" 
HOST-RESOURCES-MIB::hrStorageSize."37" = "2030792" 
HOST-RESOURCES-MIB::hrStorageSize."38" = "1015385" 
HOST-RESOURCES-MIB::hrStorageSize."39" = "2030792" 
HOST-RESOURCES-MIB::hrStorageSize."40" = "2538497" 
HOST-RESOURCES-MIB::hrStorageSize."41" = "12696559" 
HOST-RESOURCES-MIB::hrStorageSize."42" = "5073149" 
HOST-RESOURCES-MIB::hrStorageSize."43" = "19045441" 
HOST-RESOURCES-MIB::hrStorageSize."44" = "7384608" 
HOST-RESOURCES-MIB::hrStorageSize."45" = "507684" 
HOST-RESOURCES-MIB::hrStorageUsed."1" = "102838612" 
HOST-RESOURCES-MIB::hrStorageUsed."3" = "102838612" 
HOST-RESOURCES-MIB::hrStorageUsed."6" = "4708464" 
HOST-RESOURCES-MIB::hrStorageUsed."7" = "94129872" 
HOST-RESOURCES-MIB::hrStorageUsed."10" = "0" 
HOST-RESOURCES-MIB::hrStorageUsed."31" = "188130" 
HOST-RESOURCES-MIB::hrStorageUsed."35" = "55800" 
HOST-RESOURCES-MIB::hrStorageUsed."36" = "1302834" 
HOST-RESOURCES-MIB::hrStorageUsed."37" = "868359" 
HOST-RESOURCES-MIB::hrStorageUsed."38" = "165013" 
HOST-RESOURCES-MIB::hrStorageUsed."39" = "1473096" 
HOST-RESOURCES-MIB::hrStorageUsed."40" = "1659690" 
HOST-RESOURCES-MIB::hrStorageUsed."41" = "9159791" 
HOST-RESOURCES-MIB::hrStorageUsed."42" = "779795" 
HOST-RESOURCES-MIB::hrStorageUsed."43" = "8276891" 
HOST-RESOURCES-MIB::hrStorageUsed."44" = "86509" 
HOST-RESOURCES-MIB::hrStorageUsed."45" = "13485"

What I want to do is something like the table below:

Partition       Avail.    Used      Used%
/               1015393   188130    18,52
/tmp            1015385   55800     5,49
/home           1523090   1302834   85,53
/usr            2030792   868359    42,75
/usr/local      1015385   165013    16,25
/var            2030792   1473096   72,53
/var/log        2538497   1659690   65,38
/opt            12696559  9159791   72,14
/opt/ser/data   5073149   779795    15,37
/var/log/ser    19045441  8276891   43,45
/var/log/splunk 7384608   86509     1,17
/boot           507684    13485     2,65

I'd like to use the "id" in each line to correlate to the same "id" in other line.
How can I do this?

Thanks in advance!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Agree. If you've control, can you change the line breaking of events to treat each line as separate events? If not, we need to do the same via search time operation, like this

your base search  
| rex max_match=0 "HOST-RESOURCES-MIB::hrStorage(?<temp>\w+\.\"\d+\" \= \"[^\"]+\")" 
| table temp | mvexpand temp
| rex field=temp "(?<Metrics>\w+)\.\"(?<ID>\d+)\" \= \"(?<Val>[^\"]+)\""
| chart values(Val) over ID by Metrics 
| rename Descr as Partition Size as Avail 
| table Partition Avail Used | eval "Used%"=round(Used*100/Avail,2)

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Agree. If you've control, can you change the line breaking of events to treat each line as separate events? If not, we need to do the same via search time operation, like this

your base search  
| rex max_match=0 "HOST-RESOURCES-MIB::hrStorage(?<temp>\w+\.\"\d+\" \= \"[^\"]+\")" 
| table temp | mvexpand temp
| rex field=temp "(?<Metrics>\w+)\.\"(?<ID>\d+)\" \= \"(?<Val>[^\"]+)\""
| chart values(Val) over ID by Metrics 
| rename Descr as Partition Size as Avail 
| table Partition Avail Used | eval "Used%"=round(Used*100/Avail,2)
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

somesoni2 - That is great that you had that so quickly! Definitely do this as an answer, then if guimilare can't separate the event in to individual lines, he can accept that as the answer. I think this has some great potential for plenty of other people and having ti flagged as answered and accepted will help. You really have some great answers here and I think that sometimes your answers just get hidden down in the comments. Heaven knows you don't need the karma, but it would help know that a good and accepted answer is here. Thanks!!! 🙂 🙂

DalJeanis
SplunkTrust
SplunkTrust

I have to agree. Sometimes I just change somesoni2's comments to answers myself... because often they are.

0 Karma

guimilare
Communicator

Hi somesoni2, it worked perfectly!! Thank you very much!
Our team is evaluating both event breaking methods to determinate wich on of them will give us simpler SPL searches.

Thank you both somesoni2 and cpetterborg for your answers! They helped a lot!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

That is one single event right?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

It would be much easier if it were a separate event for each line. Then you could use eval to get the number, tie the event together by the number, extract the fields, then combine through a table and eval the %Used.

guimilare
Communicator

That's correct

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...