Getting Data In

Dynamic Host Field Value for SNMP Traps

jedatt01
Builder

I have my traps set up to go to a log file in /var/log/snmp-traps. I want to be able to have the host field value reflect the actual host the trap originally came from. Is that possible? See trap below, host portion is bold.

NET-SNMP version 5.4.2.1
2012-09-25 17:41:17 testhost.host.net 192.168.15.15 TRAP, SNMP v1, community c@nT0uchth1S
CISCO-CONFIG-MAN-MIB::ciscoConfigManMIBNotificationPrefix Enterprise Specific Trap (CISCO-CONFIG-MAN-MIB::ciscoConfigManEvent) Uptime: 83 days, 15:48:11.04
CISCO-CONFIG-MAN-MIB::ccmHistoryEventCommandSource.1004 = INTEGER: commandLine(1) CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource.1004 = INTEGER: commandSource(2) CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigDestination.1004 = INTEGER: running(3)

Tags (3)
0 Karma
1 Solution

Ayn
Legend

Sure! On the indexer, set up props.conf / transforms.conf settings that extract the value you want for host and then write it to the host field:

props.conf

[yoursourcetype]
TRANSFORMS-snmphost = snmphost

transforms.conf

[snmphost]
REGEX = ^NET-SNMP version [\d\.]+\s+\d{4}-\d{2}-\d[2} \d+:\d+:\d: (\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

(make sure the regex matches correctly using something like Splunk's own rex/regex commands or external tools like regexpal.net)

This is covered in the docs as well: http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.co...

View solution in original post

0 Karma

jedatt01
Builder

Works perfectly! thanks

0 Karma

Ayn
Legend

Sure! On the indexer, set up props.conf / transforms.conf settings that extract the value you want for host and then write it to the host field:

props.conf

[yoursourcetype]
TRANSFORMS-snmphost = snmphost

transforms.conf

[snmphost]
REGEX = ^NET-SNMP version [\d\.]+\s+\d{4}-\d{2}-\d[2} \d+:\d+:\d: (\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

(make sure the regex matches correctly using something like Splunk's own rex/regex commands or external tools like regexpal.net)

This is covered in the docs as well: http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.co...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...