Hello,
I am trying to calculate the RTT time of a host where the IP is in a different source, and the rtt time is in different source. The common field is a field extraction I have done, which is called ID
Source1 -Has hexa ip
index=abc sourcetype=xyz source=*back* *0x*
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
Source2- has RTT time which is an extracted field
index=msad sourcetype=snmp source=*MAX*
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
Sample event source1
SNMPv2-SMI::enterprises."9.9.42.1.3.2.1.8.2135576845.1109857196.1.1" = "0x0a160205"
Sample event source2
SNMPv2-SMI::enterprises."9.9.42.1.3.1.1.11.2020016708.1109857176.1.1.1" = "177"
The common field is the ID in the above event. The value is 1109857196. I want to get the RTT time ,IP and ID field in a table by combining these two sources, whose index and sourcetype are the same.
Thanks,
Vineeth
index=abc sourcetype=snmp ((source=*back* *0x* ) OR source=*MAX*)
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
| stats values(ip) as ip values(RTT) as RTT by ID
Give this a try
(index=abc sourcetype=xyz source=*back* *0x*) OR (index=msad sourcetype=snmp source=*MAX*)
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})"
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16))
| rex field=_raw "\"(?<RTT>[^\"]+)\"$"
| stats values(ip) as ip values(RTT) as RTT by ID
Hello @somesoni2
I tried your query but the RTT field is showing blank .Just a small change both the sourcetypes are same but sources are different
In your sample event 2, I'm taking "177" as RTT (which I'm assuming comes at end of the raw data). If that is not correct the you'd have to update the regex (2nd last line) for RTT.