Hi all,
I may be going at this in the completely wrong way, but I'm looking at extracting information from traps sent by a system, and then using them to generate reports.
So I have this trap:
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.1230.2.7.4.3 SNMPv2-SMI::enterprises.1230.2.7.4.10.4 = INTEGER: 6 SNMPv2-SMI::enterprises.1230.2.7.4.10.5 = STRING: "neptune"
The system is picking up the fields ok, like "SNMPv2-SMI::enterprises.1230.2.7.4.10.5", but then its content is "STRING: \"neptune\"".
I'm looking at removing the word "STRING: ", both quotes (""), and just keeping the rest (neptune), preferably somehow placing that into a field named "planet".
My report will then look at displaying how many times each planet was observed, sort of thing.
Is this possible? Does this reasoning make any sense? I was thinking about using rex for this, but I must be way off the mark because nothing seems to work for me...
I was trying: | rex field=_raw "STRING: \"(? .*)\""
Help, please?
Thanks
... View more