Assuming that comes as a single event you could try starting with
# Extract the varbind_list
grok { match => { "message" => "@varbind_list=\[%{GREEDYDATA:[@metadata][varbind]}\]>$" } }
# and remove it
mutate { gsub => [ "message", "@varbind_list=\[.*\]>$", "@varbind_list=[]" ] }
# Trim the leading noise
mutate { gsub => [ "message", "^#<SNMP::SNMPv2_Trap:[^ ]+ ", "" ] }
kv { source => "message" field_split => "," value_split => "=" trim_key => " " }
ruby {
code => '
vb = event.get("[@metadata][varbind]")
if vb
# Extract the name and value pairs
matches = vb.scan(/@name=([^ ]+), @value=([^,]+)(,|$)/)
matches.each_index { |x|
m2 = matches[x][1].scan(/@value=([^>]+)>/)
# Is it "@value=#<SNMP::TimeTicks:0x28115c7e @value=1578645869>>" or "@value=7920439"
if m2[0]
v = m2[0][0]
else
v = matches[x][1]
end
# Remove trailing > and surrounding double quotes
if v =~ />$/
v = v.gsub(/(.*)>$/, "\\1")
end
if v =~ /^"(.*)"$/
v = v.gsub(/^"(.*)"$/, "\\1")
end
event.set(matches[x][0], v)
}
event.set("matches", matches)
end
'