Own Output for SNMP Get Values in Logstash

Elastic Stack Logstash
1

Hello,

I have the following Logstash config

input {
  snmp {
    tags => [ "snmp" ]
    get => [".1.3.6.1.4.1.9.9.48.1.1.1.5.2",".1.3.6.1.4.1.9.9.109.1.1.1.1.5.1",".1.3.6.1.4.1.9.9.48.1.1.1.5.1"]
    hosts => [{host => "udp:IP/161" community => "public" version => "2c"  retries => 2  timeout => 1000}]
    tables => [ {"name" => "interfaces" "columns" => ["1.3.6.1.2.1.2.2.1.1", "1.3.6.1.2.1.2.2.1.2", "1.3.6.1.2.1.31.1.1.1.6", "1.3.6.1.2.1.31.1.1.1.10"]}]
  }
}

filter {

split {
   field => "interfaces"
 }

mutate {
        rename => { "[interfaces][index]" => "index" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifIndex]" => "ifIndex" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifDescr]" => "ifDescr" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets]" => "ifHCInOctets" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutOctets]" => "ifHCOutOctets" }
    }


mutate {
        convert => {
          "ifInOctets" => "integer"
          "ifOutOctets" => "integer"
        }
    }


mutate {
        remove_field => [ "interfaces", "@version" ]
      }
}

output {
    stdout
    {
        codec => rubydebug
    }

The config it self does work but when I run it for test, then the output from the get is added to each interface output for example:

{
                                                      "@timestamp" => 2023-07-14T20:25:24.619586115Z,
                                                           "index" => "30",
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.1" => 173542416,
    "iso.org.dod.internet.private.enterprises.9.9.109.1.1.1.1.5.1" => 15,
                                                         "ifDescr" => "Virtual-Access1",
                                                    "ifHCInOctets" => 0,
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.2" => 17675040,
                                                            "host" => {
        "ip" => "172.16.0.254"
    },
                                                            "tags" => [
        [0] "snmp"
    ],
                                                   "ifHCOutOctets" => 0,
                                                         "ifIndex" => 30
}
{
                                                      "@timestamp" => 2023-07-14T20:25:24.619586115Z,
                                                           "index" => "31",
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.1" => 173542416,
    "iso.org.dod.internet.private.enterprises.9.9.109.1.1.1.1.5.1" => 15,
                                                         "ifDescr" => "Virtual-Access2",
                                                    "ifHCInOctets" => 195300854095,
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.2" => 17675040,
                                                            "host" => {
        "ip" => "172.16.0.254"
    },
                                                            "tags" => [
        [0] "snmp"
    ],
                                                   "ifHCOutOctets" => 12702042208,
                                                         "ifIndex" => 31
}

Is there a way, that the SNMP values from the get command is wriiten only one time as own field or is this not possible and I have to create a second File with the get values?

I hope it is clear what I am trying to do.

Thank you for your help.

2

Hi,
you may use add_field in input section.

input {
  snmp {
    tags => [ "snmp" ]
    get => [
      ".1.3.6.1.4.1.9.9.48.1.1.1.5.2",
      ".1.3.6.1.4.1.9.9.109.1.1.1.1.5.1",
      ".1.3.6.1.4.1.9.9.48.1.1.1.5.1"
    ]
    hosts => [{ host => "udp:IP/161" community => "public" version => "2c" retries => 2 timeout => 1000 }]
    tables => [
      {
        name => "interfaces"
        columns => [
          "1.3.6.1.2.1.2.2.1.1",
          "1.3.6.1.2.1.2.2.1.2",
          "1.3.6.1.2.1.31.1.1.1.6",
          "1.3.6.1.2.1.31.1.1.1.10"
        ]
      }
    ]
    add_field => {
      "ifHCInOctets_get" => "%{iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.1}"
      "ifHCOutOctets_get" => "%{iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.2}"
    }
  }
}
3

Thank you for your response. I have tested it now and it seems that everything is written to one field for example for interfaces.iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets or interfaces.iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutOctets.
I 'd like to have that this information is splitted all in their own fields because I want to visualize it then in Grafana.
I have added in Screenshot from Kiabana how it looks like with your config:

image
image2204×116 34.1 KB

I have added a Screenshot from my config how I want to have it but the values of SNMP Get is always added to each out put when the split filter is enabled.

image
image2188×217 53.6 KB

I hope it is maybe now more clear how I want that it should look like or if this is possible in one config.

Thank you.