Hello,
I'm receiving snmptraps from an equipement with a sequence ID at the end. The sequence ID increase at every new trap. This is normaly considered as a new field and after a while the max of field is reached and I can't store no more logs
So in my mind, I need to add a filter with a REXGEX code to delete the end of OID (the sequence ID ). Can you let me know how to do that ?
The REGEX should be .[^.]*$
Thanks
If you want to change field names using a regexp then you have to use ruby. You could try something like this (not tested):
ruby {
code => '
event.to_hash { |k, v|
if k =~ /1\.1\.1/ # I'm sure you can do better than this
newK = k.sub(/.[^.]+$/)
event.set(newK, v)
end
}
'
}© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.