Mutate rename, remove does not work on fields in list

Adriann · October 22, 2020, 9:50pm

Hello,

I want to use logstash snmp walk input for fetching data from my network devices.

This is the config I use.

input {
    snmp {
        hosts => [
            {host => "udp:ip/port" community => "secret"}
        ]
        tables => [
            {
               name => "interfaces"
               columns => [
                        "1.3.6.1.2.1.2.1",
                        "1.3.6.1.2.1.2.2.1.1",
                        "1.3.6.1.2.1.2.2.1.3",
                        "1.3.6.1.2.1.2.2.1.4",
                        "1.3.6.1.2.1.2.2.1.5",
                        "1.3.6.1.2.1.2.2.1.6",
                        "1.3.6.1.2.1.2.2.1.7",
                        "1.3.6.1.2.1.2.2.1.8",
                        "1.3.6.1.2.1.2.2.1.9",
                        "1.3.6.1.2.1.2.2.1.10",
                        "1.3.6.1.2.1.2.2.1.11",
                        "1.3.6.1.2.1.2.2.1.12",
                        "1.3.6.1.2.1.2.2.1.13",
                        "1.3.6.1.2.1.2.2.1.14",
                        "1.3.6.1.2.1.2.2.1.15",
                        "1.3.6.1.2.1.2.2.1.16",
                        "1.3.6.1.2.1.2.2.1.17",
                        "1.3.6.1.2.1.2.2.1.18",
                        "1.3.6.1.2.1.2.2.1.19",
                        "1.3.6.1.2.1.2.2.1.20",
                        "1.3.6.1.2.1.31.1.1.1.1",
                        "1.3.6.1.2.1.2.1"
                        ]
            },
            {
                name => "cisco.device.system"
                columns => [
                        "1.3.6.1.2.1.2.1"
                        ]
            }

        ]
        add_field => { "host" => "%{[@metadata][host_address]}"}
        tags => ["snmp", "interface"]
    }
}

filter{
            mutate {
                    remove_field => [ "%{[cisco.device.system][index]}", "%{[interfaces][index]}", "[index]", "[interfaces][index]" ]
                    rename => { "%{[interfaces][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifAdminStatus]}" => "interfaces.AdminStatus" }
    }
}

output {
# file {
#   path => "/etc/logstash/conf.d/tests/snmp.txt"
# }
 stdout { codec => rubydebug }
}

Output

{
    "cisco.device.system" => [
        [0] {
                                                          "index" => "0",
            "iso.org.dod.internet.mgmt.mib-2.interfaces.ifNumber" => 8
        }
    ],
                   "tags" => [
        [0] "snmp",
        [1] "interface",
        [2] "_mutate_error"
    ],
             "interfaces" => [
        [0] {
                                                          "index" => "0",
            "iso.org.dod.internet.mgmt.mib-2.interfaces.ifNumber" => 8
        },
        [1] {
                                                                                  "index" => "1",
                     "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifIndex" => 1,
                       "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifMtu" => 0,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifPhysAddress" => "00:00:00:00:00:00",
              "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutUcastPkts" => 0,
                 "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutOctets" => 0,
                  "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInErrors" => 0,
                      "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifType" => 1,
                "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus" => 1,
                  "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInOctets" => 0,
                     "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifSpeed" => 0,
                "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInDiscards" => 0,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutDiscards" => 0,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifAdminStatus" => 1,
             "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutNUcastPkts" => 0,
                 "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutErrors" => 0,
            "iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName" => "Null0",
                "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifLastChange" => 100,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInUcastPkts" => 0,
              "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInNUcastPkts" => 0
        },
        [2] {
                                                                                  "index" => "2",
                     "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifIndex" => 2,
                       "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifMtu" => 0,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifPhysAddress" => "00:00:00:00:00:00",
              "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutUcastPkts" => 0,
                 "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutOctets" => 0,
                  "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInErrors" => 0,
                      "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifType" => 1,
                "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus" => 2,
                  "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInOctets" => 0,
                     "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifSpeed" => 0,
                "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInDiscards" => 0,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutDiscards" => 0,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifAdminStatus" => 1,
             "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutNUcastPkts" => 0,
                 "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutErrors" => 0,
            "iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName" => "0",
                "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifLastChange" => 100,
               "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInUcastPkts" => 0,
              "iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInNUcastPkts" => 0
        },
],
               "@version" => "1",
             "@timestamp" => 2020-10-22T21:42:51.375Z,
                   "host" => "ip"
}

The following mutate rename and remove command as well as other things I have tried does not have any effect. How can I make It work?

Adriann · October 22, 2020, 11:04pm

Ok so this worked

            rename => { "[interfaces][8][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifAdminStatus]" => "AdminStatus" }

and return

  ],
             "@timestamp" => 2020-10-22T23:02:21.979Z,
            "AdminStatus" => 1,

But is there a way I would not have to hard code this for every device or write some script to this for me. Also, I want to post every set of fields from list as a seperate document. How can I do this?

Adriann · October 22, 2020, 11:18pm

Ok so I have found my solution.

This works as I want.

filter{
        split {
                field => "interfaces"
        }

        mutate {
                remove_field => [ "[cisco.device.system][index]", "[interfaces][index]"]
                rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifAdminStatus]" => "interface.AdminStatus" }
        }
}

system · November 19, 2020, 11:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove document I logstash pipilnie that has no usefull fields Logstash	9	419	November 23, 2020
Own Output for SNMP Get Values in Logstash Logstash	3	407	August 13, 2023
Help with filter/mutate, replace netflow snmp field Logstash	1	501	April 24, 2019
Logstash SNMP input error Logstash	2	449	April 20, 2022
Custom Logstash pipeline configuration file Logstash	6	504	November 13, 2020

Mutate rename, remove does not work on fields in list

Related topics