Hello All,
At this moment, all the traps that i received in Logstash that have the error code, will write in elastic and in a file:
output {
if [type] == "snmptrap" {
elasticsearch { hosts => ["myhost.domain.com:9200"]
user => user
password => pass
index => "logstash-snmp-%{+YYYY.MM.dd}"
}
if [snmp OID] =="ERROR" {
file {
path => "/var/spool/logstash/snmp.log"
codec => json_lines {}
}
}
}
How i can parsing the snmp trap before write in the output file??
Thanks for your help,
You're not describing in what way you want it parsed so it's impossible to help. What do your SNMP events currently look like? How would you like them to look instead?
Hello magnus,
Thanks a lot for your respond,
What i want is, write in a file ( "/var/spool/logstash/snmp.log" ) if the "SNMPv2-SMI::enterprises.2.6.212.10.1.5] =="ERROR"", but in a " human" language, because now, doing this:
file {
path => "/var/spool/logstash/snmp.log"
codec => json_lines {}
}
In the file are all the SNMP trap information with all the OIDs, and my goal is change the all the "SNMPv2-SMI::enterprises.2.6.212.10.1.X" by a string like:
filter{
mutate {
gsub => [
# replace all forward slashes with underscore
"message", "SNMPv2-SMI::enterprises.2.6.212.10.1.1", "CLUSTER_ID"
]
}
}
Thanks a lot for your help.
That mutate filter looks like something that could work (but you should escape the periods since they are metacharacters in regexps). What are you having trouble with?
For best results avoid describing what you want to accomplish. Show examples instead, like what an event looks like now (using a stdout { codec => rubydebug } output) and what the desired outcome.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.