Getting Data In

Create cleaner snmptrapd logs

_joe
Communicator

Hello All,

I was wondering if there is a way to cleanup the key value pair logging inside of snmptrapd? I am ingesting these logs with a UF and I do not want to perform rex sed from my indexers. Thanks.

Here is my current format string

vi /etc/snmp/snmptrapd.conf
format2 Date = %y-%02.2m-%02.2l %02.2h:%02.2j:%02.2k\n%V\n%v\n---\n

My logs look like this:
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'....6C' = mac-address
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientByIpAddressType.0 = ipv4
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientUsername.'@&....' = name
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSSID.'@&....' = Employee
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSessionID.'@&....' = id
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'@&....' = mac

I would like them to look like this (before ingesting them into Splunk)
cldcApMacAddress = mac-address
cldcClientByIpAddressType = ipv4

If that isn't possible, I would at least like to remove the random characters (example: "@&...." and "'....6C'"). I am not sure why they are generating.

0 Karma

bgraabek_splunk
Splunk Employee
Splunk Employee

Perform the cleanup in, say, a looping script that writes the cleaned up events to a separate log file and then have the UF pick up events from that log file?

0 Karma

_joe
Communicator

I appreciate the feedback. At that point, I will just use rex mode=sed though. I would like to know if it would be possible to do this in snmptrapd since, I am assuming, that would be most efficient.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...