Solved: Extracting fields from snmp traps

swannie · ‎08-22-2016

Hi all,

I'm trying to extract key/value data from SNMP trap data logged to my splunk server. I have snmptrapd running in the background and logging to a file, which splunk is monitoring. All that is working great. The data that makes it into splunk looks like this:

2016-08-22 12:42:21 10.192.2.110 [UDP: [10.192.2.110]:32771->[10.10.15.76]]:
sysUpTimeInstance = 80:20:41:00.00  snmpTrapOID.0 = ciscoLwappDot11ClientMIBNotifs.2    cldcClientMacAddress.'......' = d4:b:1a:92:fc:8b    cldcClientWlanProfileName.'......' = SSID   cldcClientEntry.'......'.139 = 10.64.97.246 cldcApMacAddress.'......' = 58:f3:9c:c8:55:20   cldcClientEntry.'......'.139 = 0    cldcClientEntry.'......'.139 = 396

I'm trying to use the kv command like this: " ... | kv pairdelim="\t" kvdelim=" = " "which grabs some of the fields, but I think the problem is that there's extra snmp variable data that I need to get rid of. With the example above I get a key of "cldcClientEntry_________139" and value of "10.64.97.246" but what I want to get is "cldcClientEntry" and value of "10.64.97.246" ... so I think I need some way to stop matching the key as soon as it hits a period, but I'm not quite sure where/how to do that. Any suggestions?

Thanks,
Brian

javiergn · ‎08-22-2016

Try this instead:

your base search
| rex mode=sed "s/(\.\'[\.]+\')?(\.\d+)? =/ =/g"
| kv pairdelim="\t" kvdelim=" = "

It worked fine for me based on your sample above (and using several spaces instead of tabs because of the copy and paste):

| makeresults
| fields - _time
| eval _raw = "2016-08-22 12:42:21 10.192.2.110 [UDP: [10.192.2.110]:32771->[10.10.15.76]]:
 sysUpTimeInstance = 80:20:41:00.00    snmpTrapOID.0 = ciscoLwappDot11ClientMIBNotifs.2    cldcClientMacAddress.'......' = d4:b:1a:92:fc:8b    cldcClientWlanProfileName.'......' = SSID    cldcClientEntry.'......'.139 = 10.64.97.246    cldcApMacAddress.'......' = 58:f3:9c:c8:55:20    cldcClientEntry.'......'.139 = 0    cldcClientEntry.'......'.139 = 396"
| rex mode=sed "s/(\.\'[\.]+\')?(\.\d+)? =/ =/g"
| kv pairdelim="    " kvdelim=" = "

Output:

View solution in original post

s2_splunk · ‎08-22-2016

Hi Brian,
from your sample event, it appears that the unwanted string is always .'.....', sometimes followed by .nnn so the simplest is probably removing that from the source events during indexing using SEDCMD for your source (or sourcetype) in props.conf, like so:

[source::yourlogfile]
SEDCMD-removeUnwantedStuff = s/\.\'[.'1234567890]+//g

Not that this will alter the events before they get indexed, so it will only apply to new events coming in.
If you don't want to do that, you can use the rex command at search time, like so:

yoursearch | rex mode=sed ddd "s/\.\'[.'1234567890]+//g"

I hope this helps.

swannie · ‎08-22-2016

Thanks for the idea, but I might have gave a bad example. The text following the OID is variable and different (it happened to be the same in this log entry because it was all non-printable characters).

s2_splunk · ‎08-22-2016

Fair enough. Looks like you figured it out how to adjust the RegEx in SED to match any character from the first dot to the next equals sign.
You may want to consider removing that extraneous stuff before indexing the data, unless you need those characters for any other search. You could configure SEDCMD in your props.conf to achieve that.
Either way works fine, schema on the fly at work! 🙂

javiergn · ‎08-22-2016

Try this instead:

your base search
| rex mode=sed "s/(\.\'[\.]+\')?(\.\d+)? =/ =/g"
| kv pairdelim="\t" kvdelim=" = "

It worked fine for me based on your sample above (and using several spaces instead of tabs because of the copy and paste):

| makeresults
| fields - _time
| eval _raw = "2016-08-22 12:42:21 10.192.2.110 [UDP: [10.192.2.110]:32771->[10.10.15.76]]:
 sysUpTimeInstance = 80:20:41:00.00    snmpTrapOID.0 = ciscoLwappDot11ClientMIBNotifs.2    cldcClientMacAddress.'......' = d4:b:1a:92:fc:8b    cldcClientWlanProfileName.'......' = SSID    cldcClientEntry.'......'.139 = 10.64.97.246    cldcApMacAddress.'......' = 58:f3:9c:c8:55:20    cldcClientEntry.'......'.139 = 0    cldcClientEntry.'......'.139 = 396"
| rex mode=sed "s/(\.\'[\.]+\')?(\.\d+)? =/ =/g"
| kv pairdelim="    " kvdelim=" = "

Output:

swannie · ‎08-22-2016

Okay, I'm having a problem wrapping my head around the SED command, and the interwebs aren't helping. Here's another log example:

2016-08-22 14:57:08 10.192.2.110 [UDP: [10.192.2.110]:32771->[10.10.15.76]]:
sysUpTimeInstance = 80:22:55:48.00  snmpTrapOID = ciscoLwappDot11ClientMIBNotifs.2  cldcClientMacAddress.'.*..q.' = e8:2a:ea:c6:71:d6   cldcClientWlanProfileName.'.*..q.' = RAMBLERS   cldcClientEntry.'..*..q' = 10.64.30.36  cldcApMacAddress.'.*..q.' = f0:7f:6:3e:20:30    cldcClientEntry.'..*..q' = 0    cldcClientEntry.'..*..q' = 330

Basically, I want to take everything from the first period up to (but not including) the equal sign and trash it. I tried to modify the original SED script you gave me, but it's not working as expected. Any thoughts?

swannie · ‎08-22-2016

I think I got it .. here's what I settled on:

rex mode=sed "s/\.([^\s]+) =/ =/g"

swannie · ‎08-22-2016

Ahh... I didn't think about pre-processing those fields. I'll have to try it on a few different log entries and see what I need to tweak. Thanks for your assistance!

Extracting fields from snmp traps

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...