I'm using the SNMP modular input and having problems getting it to break into multiple events. I can't seem to get line_breaker to work at all.
Here is a sample of the event data:
IF-MIB::ifInOctets."2" = "2303277645" IF-MIB::ifOutOctets."2" = "2190994307" IF-MIB::ifInOctets."3" = "0" IF-MIB::ifOutOctets."3" = "0" IF-MIB::ifInOctets."4" = "0" IF-MIB::ifOutOctets."4" = "0" IF-MIB::ifInOctets."5" = "0" IF-MIB::ifOutOctets."5" = "0" IF-MIB::ifInOctets."6" = "0" IF-MIB::ifOutOctets."6" = "0" IF-MIB::ifInOctets."7" = "0" IF-MIB::ifOutOctets."7" = "0" IF-MIB::ifInOctets."8" = "0" IF-MIB::ifOutOctets."8" = "0" IF-MIB::ifInOctets."9" = "0" IF-MIB::ifOutOctets."9" = "0" IF-MIB::ifInOctets."10" = "0" IF-MIB::ifOutOctets."10" = "0"
This goes on for awhile and is all on a single line.
My props.conf looks like this:
[ciscosnmp]
DATETIME_CONFIG=CURRENT
LINE_BREAKER=(IF-MIB::if)
NO_BINARY_CHECK=1
SEDCMD-first=s/IF-MIB/\nIF-MIB/g
SHOULD_LINEMERGE=false
TRUNCATE=0
Now, the SEDCMD works appropriately and puts each event on it's own line, but the LINE_BREAKER doesn't do anything. Oddly, if I paste the original event data into a text file and build the same configuration for it, it works fine.
Additionally, I can't figure out how to extract the fields. After my SEDCMD, the data looks like this:
IF-MIB::ifInOctets."2" = "3957423569"
IF-MIB::ifOutOctets."2" = "3763306785"
IF-MIB::ifInOctets."3" = "0"
IF-MIB::ifOutOctets."3" = "0"
IF-MIB::ifInOctets."4" = "0"
IF-MIB::ifOutOctets."4" = "0"
IF-MIB::ifInOctets."5" = "0"
IF-MIB::ifOutOctets."5" = "0"
Basically, Direction."(portnumber)"="bytesoftraffic"
I've tinkered with SEDCMD and can get it to look nicer, but after an entire day of messing with the field extractions, transforms, delims, fields etc. I haven't gotten it to break those lines into fields. Any help would be greatly appreciated.
... View more