I have an SNMP trap that I'm trying to extract two fields from one string with a comma in the middle, but I'm getting no output from the segment of a field extraction for the comma separated pair of values.
The input includes (from raw_) {1.3.6.1.4.1.1482.20.1.2.1.4.1.5.21914:Board 3, Port 1, TS 0.0.0.0:1235}
So I want to output "Board 3" and "Port 1" in two Fields called Board and Port
When I use
| rex field=raw_ "1\.3\.6\.1\.4\.1\.1482\.20\.1\.2\.1\.4\.1\.5\.\d+:(?P\w+\d+\s+),(?\w+\d+\s+)}" | table _time, Board, Port
I get nothing for the fields Board or Port in the output. I've no issues with getting a bunch of other fields from this trap, but this one escapes me....
I try to follow the Keep It Simple maxim in my regex strings. This works in regex101.com
... | rex ":(?<Board>[^,]+), (?<Port>[^,]+)" | ...
Try this
... | rex "Board\s+(?<board>\d+),\s+Port\s+(?<port>\d+)" | table _time board port
I try to follow the Keep It Simple maxim in my regex strings. This works in regex101.com
... | rex ":(?<Board>[^,]+), (?<Port>[^,]+)" | ...
Ah, unfortunately, there are a plethora of varbinds in the SNMP trap, with many semicolons. Here's a sample of the full trap
[2016/09/08 10:57:16 MDT] [INFO] (/trapd/client.(*TrapLogger).Info:29) [TRAP]: {ip:69.76.108.44,timestamp:1473353836411,oid:1.3.6.1.4.1.1482.20.1.1.1.1.0.1,varbinds:[{1.3.6.1.4.1.1482.20.1.2.1.4.1.13.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.9.5460:8},{1.3.6.1.4.1.1482.20.1.2.1.4.1.11.5460:},{1.3.6.1.4.1.1482.20.1.2.1.4.1.14.5460:TS=232.34.1.232:34000=;Cause=Service Out Loss (one service)=;},{1.3.6.1.4.1.1482.20.1.2.1.4.1.5.5460:**Board 5, Port 1**, TS 232.34.1.232:34000},{1.3.6.1.4.1.1482.20.1.2.1.4.1.8.5460:1},{1.3.6.1.4.1.1482.20.1.2.1.4.1.10.5460:269},{1.3.6.1.2.1.1.3.0:1041h33m58.73s},{1.3.6.1.4.1.1482.20.1.2.1.4.1.3.5460:DCM},{1.3.6.1.4.1.1482.20.1.2.1.4.1.4.5460:TS Out Loss},{1.3.6.1.4.1.1482.20.1.2.1.4.1.6.5460:2016/09/08 16:57:14},{1.3.6.1.4.1.1482.20.1.2.1.4.1.7.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.12.5460:0},{1.3.6.1.4.1.1482.20.1.2.1.4.1.15.5460:.1.3.6.1.2.1.47.1.1.1.1.1.501},{1.3.6.1.4.1.1482.20.1.2.1.4.1.2.5460:5460}]
I added in the preamble from the varbind I'm after to get to
rex field=raw_ "1\.3\.6\.1\.4\.1\.1482\.20\.1\.2\.1\.4\.1\.5\.[\d]+:(?[^,]+), (?[^,]+)" | table, _time, Board, Port
unfortunately, still did not return anything....
(FWIW, I did also try verbatim the rex ":(?[^,]+), (?[^,]+)"
and it failed to return anything either)
S
It works in my Splunk (6.4.1). Here's a run-anywhere example. Remove the \*\*
sequences if you just added the asterisks for emphasis.
|metadata type=sources | head 1 | eval text="[2016/09/08 10:57:16 MDT] [INFO] (/trapd/client.(*TrapLogger).Info:29) [TRAP]: {ip:69.76.108.44,timestamp:1473353836411,oid:1.3.6.1.4.1.1482.20.1.1.1.1.0.1,varbinds:[{1.3.6.1.4.1.1482.20.1.2.1.4.1.13.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.9.5460:8},{1.3.6.1.4.1.1482.20.1.2.1.4.1.11.5460:},{1.3.6.1.4.1.1482.20.1.2.1.4.1.14.5460:TS=232.34.1.232:34000=;Cause=Service Out Loss (one service)=;},{1.3.6.1.4.1.1482.20.1.2.1.4.1.5.5460:**Board 5, Port 1**, TS 232.34.1.232:34000},{1.3.6.1.4.1.1482.20.1.2.1.4.1.8.5460:1},{1.3.6.1.4.1.1482.20.1.2.1.4.1.10.5460:269},{1.3.6.1.2.1.1.3.0:1041h33m58.73s},{1.3.6.1.4.1.1482.20.1.2.1.4.1.3.5460:DCM},{1.3.6.1.4.1.1482.20.1.2.1.4.1.4.5460:TS Out Loss},{1.3.6.1.4.1.1482.20.1.2.1.4.1.6.5460:2016/09/08 16:57:14},{1.3.6.1.4.1.1482.20.1.2.1.4.1.7.5460:2},{1.3.6.1.4.1.1482.20.1.2.1.4.1.12.5460:0},{1.3.6.1.4.1.1482.20.1.2.1.4.1.15.5460:.1.3.6.1.2.1.47.1.1.1.1.1.501},{1.3.6.1.4.1.1482.20.1.2.1.4.1.2.5460:5460}]" | rex field=text ":(?<Board>\*\*Board [^,]+), (?<Port>Port[^,]+\*\*)" | table _time Board Port
Yep, that got it.