I have my traps set up to go to a log file in /var/log/snmp-traps. I want to be able to have the host field value reflect the actual host the trap originally came from. Is that possible? See trap below, host portion is bold.
NET-SNMP version 5.4.2.1
2012-09-25 17:41:17 testhost.host.net 192.168.15.15 TRAP, SNMP v1, community c@nT0uchth1S
CISCO-CONFIG-MAN-MIB::ciscoConfigManMIBNotificationPrefix Enterprise Specific Trap (CISCO-CONFIG-MAN-MIB::ciscoConfigManEvent) Uptime: 83 days, 15:48:11.04
CISCO-CONFIG-MAN-MIB::ccmHistoryEventCommandSource.1004 = INTEGER: commandLine(1) CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource.1004 = INTEGER: commandSource(2) CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigDestination.1004 = INTEGER: running(3)
Sure! On the indexer, set up props.conf / transforms.conf settings that extract the value you want for host
and then write it to the host
field:
props.conf
[yoursourcetype]
TRANSFORMS-snmphost = snmphost
transforms.conf
[snmphost]
REGEX = ^NET-SNMP version [\d\.]+\s+\d{4}-\d{2}-\d[2} \d+:\d+:\d: (\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
(make sure the regex matches correctly using something like Splunk's own rex
/regex
commands or external tools like regexpal.net
)
This is covered in the docs as well: http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.co...
Works perfectly! thanks
Sure! On the indexer, set up props.conf / transforms.conf settings that extract the value you want for host
and then write it to the host
field:
props.conf
[yoursourcetype]
TRANSFORMS-snmphost = snmphost
transforms.conf
[snmphost]
REGEX = ^NET-SNMP version [\d\.]+\s+\d{4}-\d{2}-\d[2} \d+:\d+:\d: (\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
(make sure the regex matches correctly using something like Splunk's own rex
/regex
commands or external tools like regexpal.net
)
This is covered in the docs as well: http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.co...