Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SNMP Indexing,

asand100
New Member
‎04-15-2012 01:19 AM

Firstly I am new to Splunk (so aplogies if this is very simple.)

Secondly I have a working snmp file being written to and I have the mibs loaded so that the oid are being converted into meaningful english. I would like to email "parts" of the infomration from this based on alerts, however I am not allowed to send the full "raw" output as it contains information I need to remove, (hostname / ip) However if i try the -filter hostname ip as the input information is listed as rawid it dones not get stripped.

Am I correct in thinking if I index this file, I would then be able to filter out extra parts? If so how
Or do I need to revet to command line passing of the snmp file and searching for text / parts I am interested in?

Thank you for any advice.

I have a redhat splunk server and my bash scripting is not up to the task.

Anthony

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎04-15-2012 02:27 AM

As you are alrady indexing your data, presumably you don't need to mask the data at index time (this is normally only done with extremely sensitive data like in the financial sector), as it could be useful for monitoring,etc.

Therefore... within the savedsearch that you use for alerting, you could include the "rex" command (docs here), with the "sed" mode enabled. This will allow you to modify the data output, whilst not effecting the data you index.

An example could be, if a had a raw event (an extract from a windows event)...

Search: 

* 127.0.0.1 sourcetype="WinEventLog:Security"

Event extract (show IP address):

Network Information:
    Workstation Name:   MATT-LAPTOP
    Source Network Address: 127.0.0.1
    Source Port:        0

New search with rex command:

* 127.0.0.1 sourcetype="WinEventLog:Security" | rex mode=sed "s/\d+\.\d+\.\d+\.\d+/x.x.x.x/g"

Event extract, after modification:

Network Information:
    Workstation Name:   MATT-LAPTOP
    Source Network Address: x.x.x.x
    Source Port:        0

I hope this helps answer you question. If you try this and need assistance, update your question with an extract of the raw event and what data you want masking. Once you have masked the data in this way. You can set up your alerting.

Regards,

MHibbin

View solution in original post

Reply
Solved! Jump to solution

asand100
New Member
‎04-15-2012 04:58 AM

Thank you for the information, I will looks at what I can do with a Search rex command. The input data is from SNMP traps, where I need to remove the source ip before I can forward the data via email. (the data though is listed as RAWID when I email it. So I think I have not indexed it.) I am setting up a test systems now, as I don't have access to the production environment from Home.

Thank you for the ideas.

Anthony

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎04-15-2012 02:27 AM

As you are alrady indexing your data, presumably you don't need to mask the data at index time (this is normally only done with extremely sensitive data like in the financial sector), as it could be useful for monitoring,etc.

Therefore... within the savedsearch that you use for alerting, you could include the "rex" command (docs here), with the "sed" mode enabled. This will allow you to modify the data output, whilst not effecting the data you index.

An example could be, if a had a raw event (an extract from a windows event)...

Search: 

* 127.0.0.1 sourcetype="WinEventLog:Security"

Event extract (show IP address):

Network Information:
    Workstation Name:   MATT-LAPTOP
    Source Network Address: 127.0.0.1
    Source Port:        0

New search with rex command:

* 127.0.0.1 sourcetype="WinEventLog:Security" | rex mode=sed "s/\d+\.\d+\.\d+\.\d+/x.x.x.x/g"

Event extract, after modification:

Network Information:
    Workstation Name:   MATT-LAPTOP
    Source Network Address: x.x.x.x
    Source Port:        0

I hope this helps answer you question. If you try this and need assistance, update your question with an extract of the raw event and what data you want masking. Once you have masked the data in this way. You can set up your alerting.

Regards,

MHibbin

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...