Solved: field extraction help

hello_world15 · ‎05-23-2012

Hi All,

I am a newbie on splunk and I have the following events:

IF-MIB::ifInOctets.502 = Counter32: 675328773

IF-MIB::ifInOctets.501 = Counter32: 407638105

And would like to extract the info like this.
key=ifInOctets.502, value=675328773
key=ifInOctets.501, value=407638105

what should I configure in transforms.conf? Thanks for your help.

Ayn · ‎05-23-2012

Assuming that the leading "IF-MIB::" and the string "Counter32:" are constant for all events you want to extract this from, put something like this in transforms.conf:

[extract_snmp]
REGEX = IF-MIB::(\S+) = Counter32: (\d+)
FORMAT = $1::$2

Then refer to it like this in props.conf:

[yoursourcetype]
REPORT-snmpextract = extract_snmp

View solution in original post

hello_world15 · ‎05-25-2012

Thanks alot.

Ayn · ‎05-23-2012

Assuming that the leading "IF-MIB::" and the string "Counter32:" are constant for all events you want to extract this from, put something like this in transforms.conf:

[extract_snmp]
REGEX = IF-MIB::(\S+) = Counter32: (\d+)
FORMAT = $1::$2

Then refer to it like this in props.conf:

[yoursourcetype]
REPORT-snmpextract = extract_snmp

Ayn · ‎05-25-2012

No problem. Could you please mark my answer as accepted if this solved your issue? Thanks!

Ayn · ‎05-24-2012

Something like this should work (and be more generic):

IF-MIB::(\S+) = [^:]+: (\S+)

hello_world15 · ‎05-24-2012

Thanks alot.

One stupid question: how can I modify the REGEX to match this also.

IF-MIB::ifDescr.501 = STRING: ge-0/0/0

Thanks alot.

field extraction help

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms