In the form of logs is as follows
SNMPv2-SMI::mib-"2.2.1.2.1" = "lo" SNMPv2-SMI::mib-"2.2.1.2.2" = "eth0" SNMPv2-SMI::mib-"2.2.1.2.3" = "eth1" ~~~~~
props.conf setting is as follows.
[snmp_test]
sedcmd=s/SNMPv2::mib-2."2.2.1.2. ₩d+₩"//g s/" //g"
report-snmp_del=snmp_del
transforms.conf setting is as follows.
[snmp_del]
DELIMS="="
FIELDS=a1,a2,a3,........a10
I want this result.
a1="lo"
a2="eth0"
a3="eth1"
But, restart splunk this error.
Invalid key in stanza [snmp_test] in ~~/props.conf, line 123: sedcmd (value: .......)
How do you fix it?
thanks!!
The problem is that SEDCMD
and REPORT
must be in ALL-CAPS.
Another problem is that SEDCMD
must have a unique (but arbitrary) suffix, like this: SEDCMD-arbitraryname =
Your regex string doesn't match the data. Try
sedcmd=s/SNMPv2-SMI::mib-"2\.2\.1\.2\.\d+"//g
Hi Jihoon,
Please note that SEDCMD is used only to mask or delete raw data and is configured in props.conf.
For example, if you want to hide the first 5 digits of an account number in the vendor_sales.log source:
[22/Oct/2014:00:46:27] VendorID=9112 Code=B AcctID=4902636948
[22/Oct/2014:00:48:40] VendorID=1004 Code=J AcctID=4236256056
[22/Oct/2014:00:50:02] VendorID=5034 Code=H AcctID=8462999288
You configure the following in props.conf:
[source::.../vendor_sales.log]
SEDCMD-1acct = s/AcctID=\d{5}(\d{5})/AcctID=xxxxx\1/g
SEDCMD provides "search and replace" using regular expressions and substitutions and in the example, \1 indicates the captured group.
Hope this helps. Thanks!
Hunter Shen
Are you sure that your question is formatted correctly? Your sedcmd regex looks a little odd ...