Splunk Search

SNMP Fan Status

Path Finder

Hi guys,

I couldn't find a question regarding this issue so here it is...

i poll snmp on a cisco router for fan status using the Cisco-env-mib and i get results like bellow

CISCO-ENVMON-MIB::ciscoEnvMonFanState.1 = INTEGER: normal(1)

CISCO-ENVMON-MIB::ciscoEnvMonFanState.2 = INTEGER: normal(1)

I have extracted 2 fields, "ciscoEnvMonFanState.2" as FAN and "normal" as Status...

Now i am trying to get a table with 3 rows, device, Fan1 and Fan2 but i'm having trouble building a search which would populate

"Fan1" with "Status" where "FAN=ciscoEnvMonFanState.1"

"Fan2" with "Status" where "FAN=ciscoEnvMonFanState.2"

Is this possible... any help would be most appreciated

Tags (2)
0 Karma
1 Solution

Path Finder

Hi guys...

Just to post an update... no luck with mvexpand... however... splunk has a param in the props.conf file "SHOULD_LINEMERGE = False" which makes splunk index data one line at a time...

we also found it usefull to use awk with bash scripts for snmp scripted inputs to add host fields, arange snmptables and lots more usefull things...

thanks for your help.

View solution in original post

0 Karma

Path Finder

Hi guys...

Just to post an update... no luck with mvexpand... however... splunk has a param in the props.conf file "SHOULD_LINEMERGE = False" which makes splunk index data one line at a time...

we also found it usefull to use awk with bash scripts for snmp scripted inputs to add host fields, arange snmptables and lots more usefull things...

thanks for your help.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

If you've gotten this far, I would extract out just the Fan Number, and then concatenate things through. E.g.,

YourSearch | rex field=FAN "(?<FanNum>\d*)$" 
           | eval FanName = "Fan" . FanNum 
           | stats first(Status) by FanName, YourHostField 

This would pull out the most recent status, and should give you a table with the three columns you're looking for. Looking again at your question, this would give you three columns, instead of three rows, but that should even make it scalable for more devices. Note that you need to extract the host somehow -- you should have that via another extracted field, or the host field, or the IP in the log, or what have you.

Let me know if that works for you.

0 Karma

Splunk Employee
Splunk Employee

As I think about it, I'm not sure how to make sure that you can pull out multiple values from two fields, and keep them correlated for the mvexpand. Give that a shot and see what it leaves you with, but perhaps someone more familiar with mv operations can comment? Alternatively, I'll try to play around with it later today and see if I can figure it out.

0 Karma

Splunk Employee
Splunk Employee

Ah, gotcha. It sounds like you'll need to enable the fan field to be multi-value. Take a look at the answer to this question:
http://answers.splunk.com/questions/11777/field-extraction-into-multivalue-field

That should let you get multiple values from the same event. That would put them both on the same row, though. You can use mvexpand to address that.
http://www.splunk.com/base/Documentation/latest/User/ParseFieldsWithMultipleValues

0 Karma

Path Finder

CISCO-ENVMON-MIB::ciscoEnvMonFanState.1 = INTEGER: normal(1)

CISCO-ENVMON-MIB::ciscoEnvMonFanState.2 = INTEGER: normal(1)

0 Karma

Path Finder

Hi David. Thnx for the reply.
I edited the search to include the FanNum and the rex recognizes both fan numbers but for some reason it only extracts the first... sourcetype="snmp_fan" | eval "Fan Number"="FAN.".snmp_fan_num | stats first(snmp_fan_status) by "Fan Number" host | rename host as Device first(snmp_fan_status) as "Fan Status" I am testing this with 2 switches and 1 router... the switches have 1 fan and the search displays them correctly with fan number 1004... the router has 2 fans but the search only shows fan number 1 while fan2, which is on the second line of the log is ignored

0 Karma