How to process/filter output from SNMP input plugin for logstash

gasparuben · July 1, 2020, 10:43pm

hi, I am retrieving SNMP data from our webcast servers. I would like to know how to process the results in a filter stage in logstash e.g

    {
          "httpClientCountGetUserQueryStr.1.1.1.1.3" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
                                          "@version" => "1",
        "httpClientCountGetUserQueryStr.1.1.1.1.144" => "liveoutside/1234_camera_720p/playlist.m3u8",
                                            "fields" => {
            "document_type" => "wowzasnmp"
        },
          "httpClientCountGetIsFirstChunk.1.1.1.1.3" => "118.185.62.42",
                                        "@timestamp" => 2020-07-01T22:28:48.704Z,
        "httpClientCountGetIsFirstChunk.1.1.1.1.144" => "118.141.203.207"
    }

I could have a big number of httpClientCountGetIsFirstChunk & httpClientCountGetUserQueryStr not always in a 1 to 1 relationship as a client could demand several streams from the server.

Just for completeness this is how I collect data:

    input {
            snmp {
                     walk => [".1.3.6.1.4.1.46706.100.70.1.1.1.5",".1.3.6.1.4.1.46706.100.70.1.1.1.28"]
                     hosts => [{host => "udp:wowzaqa.domain.com/1611" community => "public" version => "2c"  retries => 2  timeout => 1000}]
                     mib_paths => ["/usr/share/snmp/mibs/WOWZASTREAMINGENGINE.dic"]
                     oid_path_length => 6
                     add_field => {"[fields][document_type]" => "wowzasnmp"}
            }
    }

Thank you

Badger · July 1, 2020, 10:59pm

That really depends on what output you want.

gasparuben · July 2, 2020, 8:01am

Indeed I didnt explain. What I need to do is to parse the streams and get for example: for liveoutside/1234_camera_720p/playlist.m3u8 two fields appname: liveoutside and streamname:1234_camera. Then I need to group the different IP's that are connected to each pair streamname and appname. In the example it would be 2 IP for just one pair. But I could have a variety of results e.g.

{
                                      "@version" => "1",
    "httpClientCountGetIsFirstChunk.1.1.1.1.158" => "188.189.117.200",
    "httpClientCountGetUserQueryStr.1.1.1.1.155" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
    "httpClientCountGetUserQueryStr.1.1.1.1.158" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
                                        "fields" => {
        "document_type" => "wowzasnmp"
    },
    "httpClientCountGetIsFirstChunk.1.1.1.1.159" => "188.189.117.200",
      "httpClientCountGetIsFirstChunk.1.1.1.1.3" => "188.189.64.42",
    "httpClientCountGetIsFirstChunk.1.1.1.1.155" => "188.189.117.200",
                                    "@timestamp" => 2020-07-01T22:31:48.773Z,
    "httpClientCountGetIsFirstChunk.1.1.1.1.157" => "188.189.117.200",
      "httpClientCountGetUserQueryStr.1.1.1.1.3" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
    "httpClientCountGetIsFirstChunk.1.1.1.1.156" => "188.189.117.200",
    "httpClientCountGetUserQueryStr.1.1.1.1.156" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
    "httpClientCountGetUserQueryStr.1.1.1.1.144" => "liveoutside/1234_camera_720p/playlist.m3u8",
    "httpClientCountGetUserQueryStr.1.1.1.1.159" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
    "httpClientCountGetUserQueryStr.1.1.1.1.157" => "liveoutside/smil:1234_camera_all.smil/playlist.m3u8",
    "httpClientCountGetIsFirstChunk.1.1.1.1.144" => "128.171.209.207"
}

Thank you

Topic		Replies	Views
Custom Logstash pipeline configuration file Logstash	6	551	November 13, 2020
Custom Logstash snmp plugin pipeline approach Logstash	2	468	November 10, 2020
Extract SNMP table from "SNMP input plugin" with key-value or Split filter Logstash	2	2069	April 16, 2020
How to apply a filter by "String in field" Logstash	1	256	May 24, 2019
Logstash snmp output Logstash	5	969	June 24, 2020

How to process/filter output from SNMP input plugin for logstash

Related topics