hello,
i’m trying to filter a field from snmptrap. as i posted below, the "message" value seems to be creepy and not clear to grok.
how can i parse them. please advise.
GET vcenter_alarm_20190422/_search
{
"query": {
"match_all": {}
},
"size": 10,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"_source": "message"
}
result shown as below. below is one sample from entire output.
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 69,
"max_score" : null,
"hits" : [
{
"_index" : "g2_vcenter_alarm_20190422",
"_type" : "_doc",
"_id" : "cwQ4Q2oBbVhBoHFXmPZY",
"_score" : null,
"_source" : {
"message" : """#<SNMP::SNMPv1_Trap:0x12b073b2 @enterprise=[1.3.6.1.4.1.6876.4.3], @timestamp=#<SNMP::TimeTicks:0x76e4342e @value=214738955>, @varbind_list=[#<SNMP::VarBind:0x6c8d4f2a @name=[1.3.6.1.4.1.6876.4.3.308.0], @value=#<SNMP::Integer:0x7d319cea @value=4>>, #<SNMP::VarBind:0x2a239226 @name=[1.3.6.1.4.1.6876.4.3.304.0], @value="Green">, #<SNMP::VarBind:0x3e683716 @name=[1.3.6.1.4.1.6876.4.3.305.0], @value="Yellow">, #<SNMP::VarBind:0x381acbee @name=[1.3.6.1.4.1.6876.4.3.306.0], @value="alarm.VsphereClientHealthAlarm - Event: Status change (2499178)\nSummary: vsphere-client status changed from green to yellow\nDate: 04/22/19 04:05:42\nArguments:\n componentId = vsphere-client\n componentName = vsphere-client\n newStatus = yellow\n oldStatus = green\n serviceId = vsphere-client\n">, #<SNMP::VarBind:0x493dd6cb @name=[1.3.6.1.4.1.6876.4.3.307.0], @value="Datacenters">], @specific_trap=203, @source_ip="172.30.119.12", @agent_addr=#<SNMP::IpAddress:0x7fb9df68 @value="\xAC\x1Ew\f">, @generic_trap=6>"""
},
"sort" : [
1555905943309
]
},