How to parse snmptrap "message" part

hello,

i’m trying to filter a field from snmptrap. as i posted below, the "message" value seems to be creepy and not clear to grok.

how can i parse them. please advise.

GET vcenter_alarm_20190422/_search
{
  "query": {
    "match_all": {}
  },
  "size": 10,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ],
  "_source": "message"
}

result shown as below. below is one sample from entire output.

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 69,
    "max_score" : null,
    "hits" : [
      {
        "_index" : "g2_vcenter_alarm_20190422",
        "_type" : "_doc",
        "_id" : "cwQ4Q2oBbVhBoHFXmPZY",
        "_score" : null,
        "_source" : {
          "message" : """#<SNMP::SNMPv1_Trap:0x12b073b2 @enterprise=[1.3.6.1.4.1.6876.4.3], @timestamp=#<SNMP::TimeTicks:0x76e4342e @value=214738955>, @varbind_list=[#<SNMP::VarBind:0x6c8d4f2a @name=[1.3.6.1.4.1.6876.4.3.308.0], @value=#<SNMP::Integer:0x7d319cea @value=4>>, #<SNMP::VarBind:0x2a239226 @name=[1.3.6.1.4.1.6876.4.3.304.0], @value="Green">, #<SNMP::VarBind:0x3e683716 @name=[1.3.6.1.4.1.6876.4.3.305.0], @value="Yellow">, #<SNMP::VarBind:0x381acbee @name=[1.3.6.1.4.1.6876.4.3.306.0], @value="alarm.VsphereClientHealthAlarm - Event: Status change (2499178)\nSummary: vsphere-client status changed from green to yellow\nDate: 04/22/19 04:05:42\nArguments:\n    componentId = vsphere-client\n    componentName = vsphere-client\n    newStatus = yellow\n    oldStatus = green\n    serviceId = vsphere-client\n">, #<SNMP::VarBind:0x493dd6cb @name=[1.3.6.1.4.1.6876.4.3.307.0], @value="Datacenters">], @specific_trap=203, @source_ip="172.30.119.12", @agent_addr=#<SNMP::IpAddress:0x7fb9df68 @value="\xAC\x1Ew\f">, @generic_trap=6>"""
        },
        "sort" : [
          1555905943309
        ]
      },

i am asking about "message" field's value to parse or grok pattern.

"message" : """#<SNMP::SNMPv1_Trap:0x12b073b2 @enterprise=[1.3.6.1.4.1.6876.4.3], @timestamp=#<SNMP::TimeTicks:0x76e4342e @value=214738955>, @varbind_list=[#<SNMP::VarBind:0x6c8d4f2a @name=[1.3.6.1.4.1.6876.4.3.308.0], @value=#<SNMP::Integer:0x7d319cea @value=4>>, #<SNMP::VarBind:0x2a239226 @name=[1.3.6.1.4.1.6876.4.3.304.0], @value="Green">, #<SNMP::VarBind:0x3e683716 @name=[1.3.6.1.4.1.6876.4.3.305.0], @value="Yellow">, #<SNMP::VarBind:0x381acbee @name=[1.3.6.1.4.1.6876.4.3.306.0], @value="alarm.VsphereClientHealthAlarm - Event: Status change (2499178)\nSummary: vsphere-client status changed from green to yellow\nDate: 04/22/19 04:05:42\nArguments:\n componentId = vsphere-client\n componentName = vsphere-client\n newStatus = yellow\n oldStatus = green\n serviceId = vsphere-client\n">, #<SNMP::VarBind:0x493dd6cb @name=[1.3.6.1.4.1.6876.4.3.307.0], @value="Datacenters">], @specific_trap=203, @source_ip="172.30.119.12", @agent_addr=#<SNMP::IpAddress:0x7fb9df68 @value="\xAC\x1Ew\f">, @generic_trap=6>"""

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.