I've clearly munged something in my transform:
# props.conf
[snmp-trap]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = snmp-trap-host
REPORT-snmp-trap = snmp-trap-extractions
SHOULD_LINEMERGE = False
#transform.comf
[snmp-trap-host]
DEST_KEY = MetaData:Host
REGEX = (?:[0-9]{1,3}\.){3}[0-9]{1,3}
FORMAT = host::$1
[snmp-trap-extractions]
REGEX = ^(\d{4}-\d{2}-\d{2})\s(\d{2}:\d{2}:\d{2})\s([a-zA-Z]*)
FORMAT = trap_oid::$3
After | deleting
, deleting and re-adding the data input file, my searches are returning:
10/3/11
5:33:40.000 PM
2011-10-03 17:33:40 mplsVrfIfDown Warning "Status Events" 10.219.49.31 - interface: unknown (index: 275) vrf: Inetv4
host=$1 sourcetype=snmp-trap source=/var/log/snmptt/snmptt.log
however it should read host=10.219.49.31.
The initial entry from /var/log/snmptt/snmptt.log reads as follows:
2011-10-03 17:33:40 mplsVrfIfDown Warning "Status Events" 10.219.49.31 - interface: unknown (index: 275) vrf: Inetv4
Anyone have any pointers?
Try wrapping your REGEX = (?:[0-9]{1,3}.){3}[0-9]{1,3} in parenthesis as such:
REGEX = ((?:[0-9]{1,3}.){3}[0-9]{1,3})
Try wrapping your REGEX = (?:[0-9]{1,3}.){3}[0-9]{1,3} in parenthesis as such:
REGEX = ((?:[0-9]{1,3}.){3}[0-9]{1,3})
hmmm...at its present state that will capture only the first three octets of an IP address.
Or simply change the (?:...)
(non-capturing group) to a (?...)
(capturing group). $1
refers to the contents of the first capturing group in the regex.