Logstash: SNMP Poll Input - skipping "error: no such.."

erikg · November 13, 2023, 6:11pm

Hello,
I am using SNMP poll input for logstash.
Using SNMP V3, I have a wide range of network devices to monitor which means many oids that are specific by vendor.

I want to know if there is a way to skip oids in which they return "error: no such instance currently exists at this OID".
The reason why I would like to skip is that the oid might apply to one host but not the other. I have many oids, doing this would be a lot of work for every field:

if [snmp][cpu_total_pct] == "error: no such instance currently exists at this OID\" {  
  mutate {
    remove_field => ["[snmp][cpu_total_pct]"]
  }
}

Wondering if someone might have a better approach to skip oids returning "error.." or a way to remove fields with out having to specify each field, just the value

Badger · November 13, 2023, 10:51pm

You could try something like

    ruby {
        code => '
            snmp = event.get("snmp")
            if snmp
                snmp.each { |k, v|
                    if v =~ /error: no such instance currently exists at this OID/
                        event.remove("[snmp][#{k}]")
                    end
                }
            end
        '
    }

erikg · November 13, 2023, 10:59pm

Thanks it works! You're a ruby master. Badger!

system · December 11, 2023, 11:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.