- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- SNMP Data Events, need help matching indexed value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNMP Data Events, need help matching indexed values with regex
I am using the SNMP Modular Input package found here: https://splunkbase.splunk.com/app/1537/
My Splunk events appear as the following:
MYMIB::errorCounter."0" = "10" MYMIB::errorCounter."1" = "12" MYMIB::errorCounter."2" = "13" MYMIB::errorCounter."3" = "17" MYMIB::elementID."0" = "compid1" MYMIB::elementID."1" = "amescomp2" MYMIB::elementID."2" = "othercompid" MYMIB::elementID."3" = "hi"
sourcetype = snmp_ta
I am trying to match each errorCounter and elementID with the same index, denoted by ."". I want to create a time chart that will show the change in errorCount for each unique elementID over time. Currently, both the fields and indexes are not being recognized by Splunk. I tried using the REX command to extract data but I am having a hard time finding a solution that will work when I add another 100+ indexes of data per event. Any help would be appreciated thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try below query
<yourBasesearch>
| rex "::(?<a>\w+)\.\"(?<b>\d+)\"\s\=\s\"(?<c>\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval f=mvindex(split(e,","),0), h=mvindex(split(e,","),2)
| eval {f}=h
| stats list(elementID) as elementID, list(errorCounter) as errorCounter by _time
| eval i = mvzip(elementID,errorCounter)
| mvexpand i
| eval elementID=mvindex(split(i,","),0), errorCounter=mvindex(split(i,","),1)
| timechart avg(errorCounter) by elementID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for your response! It helped out a lot. I was able to adjust the query slightly to get just about what I wanted. Unfortunately, in the xyseries portion of my query below "| xyseries _time indexes myerrorCount" I would like to replace indexes with myelementID but when I do so my visualization stops appearing. Is there something that I'm missing?
sourcetype="snmp_ta"
| rex "::(?\w+).\"(?\d+)\"\s=\s\"(?\w+)\"" max_match=0
| eval d=mvzip(a,b), e=mvzip(d,c)
| mvexpand e
| eval m=mvfilter(match(e, ".errorCount."))
| eval n=mvfilter(match(e, ".elementID."))
| eval indexes=mvindex(split(m,","),1), myerrorCount=mvindex(split(m,","),2), myelementID=mvindex(split(n,","),2)
| xyseries _time indexes myerrorCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like with your query , values existed on all three columns (_time, indexes and myerrorCount for | xyseries _time indexes myerrorCount and that's why it is displaying data, however when you try to run | xyseries _time indexes myelementID that does not have values in indexes where elemetnID value is present and due to that it is not generating any output.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
