APC UPS log field identification

martinpugh · ‎05-28-2012

![alt text][1]Hi all,

I'm looking to create a new index on my Splunk server to pull in the log files from our APC networked UPS's. We already grab the event data by syslog but also want to grab the environmental data, stuff like the current mains voltage and, more importantly, the internal temperature.

There doesn't seem to be any way to get this by syslog so my option seems to be to export the data using the log rotate function and then use Splunk to monitor the ftp location for files.

The problem coems when I try to import it. The format of the file is essentially a header including colum names, then a following section including tabbed data, again with columns (see below)

Network Management Card AOS v3.7.3
Smart-UPS & Matrix-UPS APP v3.7.2
Date Time Name Contact Location System IP
05/28/2012 09:13:27 BIEUP001 Martin Pugh BH0C 10.2.201.1
Smart-UPS 1500 RM
Date Time Vmin Vmax Vout %Wout Freq %Cap Vbat TupsC
05/19/2012 16:13:50 249.1 252.0 221.7 17.5 50.00 100.0 27.67 26.1
05/19/2012 16:23:50 249.1 250.5 221.7 17.5 50.00 100.0 27.67 25.6

When I start creating the new index and ask Splunk to look at the file, it manages to identify the time and date fields but then I see no way to match up the remaining columns to their colum headers. Is there a way to somehow get Splunk to match a colum to a field name?

Thanks and best regards,

Martin

jd0323fhl · ‎12-13-2017

If you are using linux, try the NUT package to parse the entries first into a syslog file.

dwaddle · ‎05-28-2012

I think I would deal with this using a regex extraction. If you want each date/time to be a separate event, then the column headers are already "lost" to you as they are part of a prior event. It's unlikely that the column names are going to change. A regex similar to this should work:

| rex "[^\s]+ [^\s]+ (?<Vmin>[^\s]+) (?<Vmax>[^\s]+) (?<Vout>[^\s]+) (?<pctWout>[^\s]+) (?<Freq>[^\s]+) (?<pctCap>[^\s]+) (?<Vbat>[^\s]+) (?<TupsC>[^\s]+)"

Another alternative is to pull the whole table in as a single event, and then use multikv to break the table into different events at search time. (
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv )

Yet a third option is to write a scripted input that can pull all of this via SNMP. APC usually has good SNMP support for all of these types of measures.

martinpugh · ‎06-08-2012

Hi dwaddle,

Cracked it with the following variation on your example in the search :-

index="test" linecount=1 | rex "(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)(?[^\t]+.)"

Now I just need to figure out how to get the file in and tag the hostname from the filename (working on it with more regex) and get some graphs built.

Thanks for your help.

dwaddle · ‎06-07-2012

You can do that, or you can plug the regex in as a configured field extraction. I guess the first question is if the regex is giving you what you want whne you use it as part of the search?

martinpugh · ‎05-29-2012

Hi, my Splunk experience is pretty basic and I'm sure I'm being a bit dim here but I'm not entirely sure where I need to plug this in. I'm trying to setup the new data input using the new Data Preview function but it doesn't accept the regex at that stage.

Should I just be accepting the file as it is and using the regex as part of my search query?

Thanks,

Martin

APC UPS log field identification

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life