Hi. I'm extracting Cisco SNMP traps (yay!) and in particular, the MAC notification MIB. I'm struggling to extract the multiple entries that can appear in the string field.
The string entry is output with no delimeters in the following tuples: Operation (2 chars), VLAN Id(4 chars), MAC(12 chars), D1BasePort Id(4 chars).
Usually we find something like this:
string=0x02003c90b11c5ec073000200
There's a single Operation ( 02 ), with one associated VLAN Id ( 003c ), one MAC ( 90b11c5ec073 ) and one baseport Id ( 0002 ) and then a terminating ( 00 ).
However, you can of course have multiple MAC change notifications per VLAN and multiple baseport ids per operation. I've read through this post and this one and unfortunately they haven't quite got it right for MAC notification MIBs because there is a one-to-many relationship between the Operation and all of the subsequent fields!
So the string field can also look like this:
string=0x01004108000f5b547e008601004108000f543a1d000401004108000f560508009301004108000f7d19a000ad00
No delimiters whatsoever between the multiple tuples - nice. I want to loop through this string and extract each of the MAC change notifications. In the above string there are four notifications:
a leading 0x , then:
01004108000f5b547e0086
01004108000f543a1d0004
01004108000f5605080093
01004108000f7d19a000ad
and lastly a terminating 00
I reckon my tokenizer should look like this (switching to bold here because the board mangles the rest of my post if I continue with the code tag!):
makemv tokenizer="([0-9a-f]{2})([0-9a-f]{4})([0-9a-f]{12})([0-9a-f]{4})" string
or actually just:
makemv tokenizer="([0-9a-f]{22})" string
This splits the long concatenated string up. However when I view the output of the following query:
index=main sourcetype="cisco:snmp" string=0x01004108000f5b547e008601004108000f543a1d000401004108000f560508009301004108000f7d19a000ad00 | makemv tokenizer="([0-9a-f]{2})([0-9a-f]{4})([0-9a-f]{12})([0-9a-f]{4})" string | mvexpand string | rex "(? [sa-fA-F0-9]{2})(? [sa-fA-F0-9]{4})(? [sa-fA-F0-9]{12})(? [sa-fA-F0-9]{4})" | table action1, vlan_hex, mac_address, port_hex
(using the above example string) I get the following:
action1 vlan_hex mac_address port_hex
01 0041 08000f5b547e 0086
01 0041 08000f5b547e 0086
01 0041 08000f5b547e 0086
01 0041 08000f5b547e 0086
So only the first entry is output. What I'd like to see is:
action1 vlan_hex mac_address port_hex
01 0041 08000f5b547e 0086
01 0041 08000f543a1d 0086
01 0041 08000f560508 0093
01 0041 08000f7d19a0 00ad
Does anyone have any ideas? Thanks and regards, Paul.
... View more