×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
cadfael
New Member
Member since: ‎09-08-2016
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-08-2016
Activity Feed
View All

Re: How to edit my rex statement to these two fiel...

by in Splunk Search
‎09-08-2016 10:26 AM
‎09-08-2016 10:26 AM
Yep, that got it. ... View more

Re: How to edit my rex statement to these two fiel...

by in Splunk Search
‎09-08-2016 10:00 AM
‎09-08-2016 10:00 AM
Ah, unfortunately, there are a plethora of varbinds in the SNMP trap, with many semicolons. Here's a sample of the full trap [2016/09/08 10:57:16 MDT] [INFO] (/trapd/client.(*TrapLogger).Info:29) [TRAP]: {ip:69.76.108.44,timestamp:1473353836411,oid:1.3.6.1.4.1.1482.20.1.1.1.1.0.1,varbinds:[{1.3.6.1.4.1.1482.20.1.2.1.4.1.13.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.9.5460:8},{1.3.6.1.4.1.1482.20.1.2.1.4.1.11.5460:},{1.3.6.1.4.1.1482.20.1.2.1.4.1.14.5460:TS=232.34.1.232:34000=;Cause=Service Out Loss (one service)=;},{1.3.6.1.4.1.1482.20.1.2.1.4.1.5.5460:**Board 5, Port 1**, TS 232.34.1.232:34000},{1.3.6.1.4.1.1482.20.1.2.1.4.1.8.5460:1},{1.3.6.1.4.1.1482.20.1.2.1.4.1.10.5460:269},{1.3.6.1.2.1.1.3.0:1041h33m58.73s},{1.3.6.1.4.1.1482.20.1.2.1.4.1.3.5460:DCM},{1.3.6.1.4.1.1482.20.1.2.1.4.1.4.5460:TS Out Loss},{1.3.6.1.4.1.1482.20.1.2.1.4.1.6.5460:2016/09/08 16:57:14},{1.3.6.1.4.1.1482.20.1.2.1.4.1.7.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.12.5460:0},{1.3.6.1.4.1.1482.20.1.2.1.4.1.15.5460:.1.3.6.1.2.1.47.1.1.1.1.1.501},{1.3.6.1.4.1.1482.20.1.2.1.4.1.2.5460:5460}] I added in the preamble from the varbind I'm after to get to rex field=raw_ "1\.3\.6\.1\.4\.1\.1482\.20\.1\.2\.1\.4\.1\.5\.[\d]+:(?[^,]+), (?[^,]+)" | table, _time, Board, Port unfortunately, still did not return anything.... (FWIW, I did also try verbatim the rex ":(?[^,]+), (?[^,]+)" and it failed to return anything either) S ... View more

How to edit my rex statement to these two fields f...

by in Splunk Search
‎09-08-2016 09:31 AM
‎09-08-2016 09:31 AM
I have an SNMP trap that I'm trying to extract two fields from one string with a comma in the middle, but I'm getting no output from the segment of a field extraction for the comma separated pair of values. The input includes (from raw_) {1.3.6.1.4.1.1482.20.1.2.1.4.1.5.21914:Board 3, Port 1, TS 0.0.0.0:1235} So I want to output "Board 3" and "Port 1" in two Fields called Board and Port When I use | rex field=raw_ "1\.3\.6\.1\.4\.1\.1482\.20\.1\.2\.1\.4\.1\.5\.\d+:(?P\w+\d+\s+),(?\w+\d+\s+)}" | table _time, Board, Port I get nothing for the fields Board or Port in the output. I've no issues with getting a bunch of other fields from this trap, but this one escapes me.... ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM