I have SNMP logs that come in with a large variety of keyvalue pairs. The key side is translated at the trap level on the OS in order to have a human readable key. The problem is that the value side is just an integer (like an enum that references some possible set of values for that key). I have a lookup file that maps the fieldname to a human readable value/definition. Most of the keys all follow a similar part with a prefix to them being 'cpq'.
Is there any way to perform a lookup (auto or otherwise) on each of the actual field names that are auto-parsed during search time?
for example:
event line looks like:
CPQHOST-MIB::compaq Enterprise Specific Trap (CPQHOST-MIB::cpqHoMibHealthStatusArrayChangeTrap) Uptime: 178 days, 12:14:54.70
SNMPv2-MIB::sysName.0 = STRING: CPQHOST-MIB::cpqHoTrapFlags.0 = INTEGER: 4 CPQHOST-MIB::cpqHoMibHealthStatusArray.0 = Hex-STRING: 03 03 02 02 02 02 02 02 02 03 00 02 00 00 02 02
02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and in Splunk it auto-extracts the fieldnames
cpqHoTrapFlags_0 = 4
cpqHoMibHealthStatusArray_0 = 03 03 02 02 02 02 02 02 02 03 00 02 00 00 02 02 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Is there a way I can get Splunk to (auto)lookup all the field names that start with cpq for a definition in some lookup file? Or does this require more logic that would have to be taken care of in a modular inputs type thing?
... View more